Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected And Need Help


  • Please log in to reply
7 replies to this topic

#1 LennyA

LennyA

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 30 September 2007 - 08:49 PM

Hi All,
I've got some kind of virus and spybot won't clean it up, I was wondering if someone can help me. Attached is a hijack this log of my latest computer scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:16 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\SeePassword\SeePassword.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\TGVubnkgQW1vcmU\command.exe
C:\Program Files\Insider\Insider.exe
C:\PROGRA~1\COMMON~1\ASKS~1\dllhost.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\tscsn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\M?crosoft.NET\n?tepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\faiylluo.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\SeePassword\SeePassword.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Disk Check] C:\WINDOWS\chkdsk32_.exe
O4 - HKLM\..\Run: [SeePassword] C:\Program Files\SeePassword\SeePassword.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\mexhnqui.dll",sitypnow
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Insider] C:\Program Files\Insider\Insider.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Pasa] "C:\PROGRA~1\COMMON~1\ASKS~1\dllhost.exe" -vt yazb (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Rclm] "C:\Program Files\M?crosoft.NET\n?tepad.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\tscsn.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Words] C:\Program Files\Words\Words.exe (User 'Administrator')
O4 - S-1-5-21-1644491937-1390067357-725345543-500 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - S-1-5-21-1644491937-1390067357-725345543-500 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGVubnkgQW1vcmU\command.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\faiylluo.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 14854 bytes


Thank you in advance.

Lenny

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 01 October 2007 - 01:44 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 LennyA

LennyA
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 October 2007 - 02:41 PM

Here it is....sorry for the delay

ComboFix 07-10-02.2 - Lenny 2007-10-04 15:36:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1578 [GMT -4:00]
Running from: C:\Documents and Settings\Lenny\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-09-28 15:04 167,444 --a------ C:\WINDOWS\system32\adnhfjnm.exe
2007-09-28 09:01 <DIR> d--hs---- C:\WINDOWS\TGVubnkgQW1vcmU
2007-09-27 14:56 <DIR> d-------- C:\Program Files\Temporary
2007-09-27 14:52 <DIR> d-------- C:\Program Files\SeePassword
2007-09-27 14:47 <DIR> d-------- C:\Program Files\DiscoverIt
2007-09-27 14:46 <DIR> d-------- C:\Program Files\PasswordTools
2007-09-22 09:05 <DIR> d-------- C:\Documents and Settings\Lenny\Application Data\WinRAR
2007-09-20 21:23 <DIR> d-------- C:\Program Files\TrendyFlash Site Builder
2007-09-16 21:32 4,608 --a------ C:\WINDOWS\chkdsk32_.exe
2007-09-16 15:23 94,208 --a------ C:\WINDOWS\eSellerateControl365.dll
2007-09-16 15:23 360,580 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-09-16 15:23 <DIR> d-------- C:\Program Files\Reportizer
2007-09-15 19:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SlySoft
2007-09-15 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-09-15 19:04 <DIR> d-------- C:\Program Files\SlySoft
2007-09-08 19:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2007-09-08 09:16 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-08 09:13 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-06 22:14 <DIR> d-------- C:\Program Files\MakBit Virtual CD-DVD
2007-09-05 21:19 <DIR> d-------- C:\Program Files\Weather1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 12:38 --------- d-------- C:\Documents and Settings\Lenny\Application Data\Wildfire
2007-09-19 22:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-16 13:20 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-04 21:03 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Wildfire
2007-09-04 20:55 --------- d-------- C:\Program Files\Tumble Bugs
2007-09-03 11:21 --------- d-------- C:\Documents and Settings\Lenny\Application Data\tvpaint animation
2007-09-03 11:18 --------- d-------- C:\Program Files\SafeNet Sentinel
2007-09-03 11:18 --------- d-------- C:\Program Files\Common Files\SafeNet Sentinel
2007-09-03 11:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-03 11:16 --------- d-------- C:\Program Files\TVPaint Developpement
2007-08-26 15:30 --------- d-------- C:\Documents and Settings\Lenny\Application Data\DivX
2007-08-26 15:25 --------- d-------- C:\Program Files\Naevius YouTube Converter
2007-08-26 15:25 --------- d-------- C:\Program Files\Google
2007-08-26 15:25 --------- d-------- C:\Program Files\DivX
2007-08-26 11:23 --------- d-------- C:\Program Files\bioVirtual
2007-08-26 10:54 --------- d-------- C:\Documents and Settings\Lenny\Application Data\EPSON
2007-08-17 15:12 --------- d-------- C:\Documents and Settings\Administrator\Application Data\X10 Commander
2007-08-14 21:12 843776 --------- C:\WINDOWS\UNNeroBurnRights.exe
2007-08-14 21:12 53248 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-08-14 21:12 --------- d-------- C:\Program Files\Ahead
2007-08-14 21:10 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-08-14 18:26 --------- d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-14 15:04 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-13 20:39 --------- d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2007-08-13 20:36 392320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-13 20:36 32768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-13 20:36 120992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-13 20:35 --------- d-------- C:\Program Files\Seagate
2007-08-13 20:35 --------- d-------- C:\Program Files\Common Files\Seagate
2007-08-12 11:05 --------- d-------- C:\Program Files\Windows Desktop Search
2007-08-10 21:05 --------- d-------- C:\Program Files\Trend Micro
2007-08-08 22:17 --------- d-------- C:\Program Files\blackmagic
2007-08-08 19:58 --------- d-------- C:\Program Files\onOne Software
2007-08-05 12:35 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-05 09:00 --------- d-------- C:\Program Files\Quark
2007-08-05 09:00 --------- d-------- C:\Program Files\Image Editor
2007-08-04 16:41 --------- d-------- C:\Program Files\Alwil Software
2007-08-03 23:34 185824 --a------ C:\WINDOWS\system32\567B6.sys
2007-08-03 23:34 128352 --a------ C:\WINDOWS\system32\567B6.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-01 20:04 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\TGVubnkgQW1vcmU\n3pRvB40kqYSwAo.vbs
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 21:10]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 22:25]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 20:44]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [2003-06-01 16:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-12-09 01:17]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-06-14 16:44]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-06-14 16:57]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-06-14 16:48]
"Disk Check"="C:\WINDOWS\chkdsk32_.exe" [2007-09-16 21:32]
"SeePassword"="C:\Program Files\SeePassword\SeePassword.exe" [2005-06-25 18:18]
"SearchIndexer"="C:\WINDOWS\system32\pvrqntcl.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 20:14]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 15:41]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2006-10-15 17:41]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-04-29 16:07:13]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-04-29 16:07:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqppn]
urqqppn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo]
C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys
R2 KvaziDVD;KvaziDVD;\??\C:\Program Files\MakBit Virtual CD-DVD\kvazidvd.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 trysftnt;trysftnt;C:\WINDOWS\system32\drivers\trysftnt.sys
R2 wntpport;wntpport;C:\WINDOWS\system32\drivers\wntpport.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 SydexFDD;Sydex Diskette Driver;C:\WINDOWS\system32\drivers\sydexfdd.sys
S3 567B6;567B6;\??\C:\WINDOWS\system32\567B6.sys
S3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atineuxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
S3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinesxx.sys
S3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-27 16:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 15:39:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 15:40:20
C:\ComboFix-quarantined-files.txt ... 2007-10-04 15:39
C:\ComboFix2.txt ... 2007-09-08 23:13
C:\ComboFix3.txt ... 2007-08-14 18:00
.
--- E O F ---

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 03 October 2007 - 03:10 PM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\WINDOWS\system32\adnhfjnm.exe
    C:\WINDOWS\chkdsk32_.exe
    Folder::
    C:\WINDOWS\TGVubnkgQW1vcmU
    C:\Program Files\Temporary
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchIndexer"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqppn]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Then please upload this file:

C:\WINDOWS\system32\567B6.sys

To either jotti or virustotal & post the results as a reply to this topic

Repeat for these files:

C:\Program Files\MakBit Virtual CD-DVD\kvazidvd.sys
C:\WINDOWS\system32\drivers\trysftnt.sys
C:\WINDOWS\system32\drivers\wntpport.sys

#5 LennyA

LennyA
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 October 2007 - 08:44 PM

ComboFix 07-10-02.2 - Lenny 2007-10-04 21:43:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1454 [GMT -4:00]
Running from: C:\Documents and Settings\Lenny\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lenny\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\adnhfjnm.exe
C:\WINDOWS\chkdsk32_.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\WINDOWS\chkdsk32_.exe
C:\WINDOWS\system32\adnhfjnm.exe
C:\WINDOWS\TGVubnkgQW1vcmU
C:\WINDOWS\TGVubnkgQW1vcmU\n3pRvB40kqYSwAo.vbs

.
((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
.

2007-09-27 14:52 <DIR> d-------- C:\Program Files\SeePassword
2007-09-27 14:47 <DIR> d-------- C:\Program Files\DiscoverIt
2007-09-27 14:46 <DIR> d-------- C:\Program Files\PasswordTools
2007-09-22 09:05 <DIR> d-------- C:\Documents and Settings\Lenny\Application Data\WinRAR
2007-09-20 21:23 <DIR> d-------- C:\Program Files\TrendyFlash Site Builder
2007-09-16 15:23 94,208 --a------ C:\WINDOWS\eSellerateControl365.dll
2007-09-16 15:23 360,580 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-09-16 15:23 <DIR> d-------- C:\Program Files\Reportizer
2007-09-15 19:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SlySoft
2007-09-15 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-09-15 19:04 <DIR> d-------- C:\Program Files\SlySoft
2007-09-08 19:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2007-09-08 09:16 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-08 09:13 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-06 22:14 <DIR> d-------- C:\Program Files\MakBit Virtual CD-DVD
2007-09-05 21:19 <DIR> d-------- C:\Program Files\Weather1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 12:38 --------- d-------- C:\Documents and Settings\Lenny\Application Data\Wildfire
2007-09-19 22:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-16 13:20 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-04 21:03 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Wildfire
2007-09-04 20:55 --------- d-------- C:\Program Files\Tumble Bugs
2007-09-03 11:21 --------- d-------- C:\Documents and Settings\Lenny\Application Data\tvpaint animation
2007-09-03 11:18 --------- d-------- C:\Program Files\SafeNet Sentinel
2007-09-03 11:18 --------- d-------- C:\Program Files\Common Files\SafeNet Sentinel
2007-09-03 11:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-03 11:16 --------- d-------- C:\Program Files\TVPaint Developpement
2007-08-26 15:30 --------- d-------- C:\Documents and Settings\Lenny\Application Data\DivX
2007-08-26 15:25 --------- d-------- C:\Program Files\Naevius YouTube Converter
2007-08-26 15:25 --------- d-------- C:\Program Files\Google
2007-08-26 15:25 --------- d-------- C:\Program Files\DivX
2007-08-26 11:23 --------- d-------- C:\Program Files\bioVirtual
2007-08-26 10:54 --------- d-------- C:\Documents and Settings\Lenny\Application Data\EPSON
2007-08-17 15:12 --------- d-------- C:\Documents and Settings\Administrator\Application Data\X10 Commander
2007-08-14 21:12 843776 --------- C:\WINDOWS\UNNeroBurnRights.exe
2007-08-14 21:12 53248 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-08-14 21:12 --------- d-------- C:\Program Files\Ahead
2007-08-14 21:10 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-08-14 18:26 --------- d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-14 15:04 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-13 20:39 --------- d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2007-08-13 20:36 392320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-13 20:36 32768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-13 20:36 120992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-13 20:35 --------- d-------- C:\Program Files\Seagate
2007-08-13 20:35 --------- d-------- C:\Program Files\Common Files\Seagate
2007-08-12 11:05 --------- d-------- C:\Program Files\Windows Desktop Search
2007-08-10 21:05 --------- d-------- C:\Program Files\Trend Micro
2007-08-08 22:17 --------- d-------- C:\Program Files\blackmagic
2007-08-08 19:58 --------- d-------- C:\Program Files\onOne Software
2007-08-05 12:35 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-05 09:00 --------- d-------- C:\Program Files\Quark
2007-08-05 09:00 --------- d-------- C:\Program Files\Image Editor
2007-08-03 23:34 185824 --a------ C:\WINDOWS\system32\567B6.sys
2007-08-03 23:34 128352 --a------ C:\WINDOWS\system32\567B6.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-01 20:04 774144 --a------ C:\Program Files\RngInterstitial.dll
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 21:10]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 22:25]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 20:44]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [2003-06-01 16:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-12-09 01:17]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-06-14 16:44]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-06-14 16:57]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-06-14 16:48]
"Disk Check"="C:\WINDOWS\chkdsk32_.exe" []
"SeePassword"="C:\Program Files\SeePassword\SeePassword.exe" [2005-06-25 18:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 20:14]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 15:41]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2006-10-15 17:41]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-04-29 16:07:13]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-04-29 16:07:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys
R2 KvaziDVD;KvaziDVD;\??\C:\Program Files\MakBit Virtual CD-DVD\kvazidvd.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 trysftnt;trysftnt;C:\WINDOWS\system32\drivers\trysftnt.sys
R2 wntpport;wntpport;C:\WINDOWS\system32\drivers\wntpport.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 SydexFDD;Sydex Diskette Driver;C:\WINDOWS\system32\drivers\sydexfdd.sys
S3 567B6;567B6;\??\C:\WINDOWS\system32\567B6.sys
S3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atineuxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
S3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinesxx.sys
S3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-27 16:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 21:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 21:44:03
C:\ComboFix-quarantined-files.txt ... 2007-10-04 21:43
C:\ComboFix2.txt ... 2007-10-04 15:40
C:\ComboFix3.txt ... 2007-09-08 23:13
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:13 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Disk Check] C:\WINDOWS\chkdsk32_.exe
O4 - HKLM\..\Run: [SeePassword] C:\Program Files\SeePassword\SeePassword.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Insider] C:\Program Files\Insider\Insider.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Pasa] "C:\PROGRA~1\COMMON~1\ASKS~1\dllhost.exe" -vt yazb (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Rclm] "C:\Program Files\M?crosoft.NET\n?tepad.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\tscsn.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Words] C:\Program Files\Words\Words.exe (User 'Administrator')
O4 - S-1-5-21-1644491937-1390067357-725345543-500 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - S-1-5-21-1644491937-1390067357-725345543-500 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 13252 bytes

#6 LennyA

LennyA
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 October 2007 - 08:47 PM

It won't let me upload a file?????

#7 LennyA

LennyA
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 October 2007 - 08:58 PM

I scanned those files at that site and it said they were all ok....

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 04 October 2007 - 11:09 AM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)


O4 - HKLM\..\Run: [Disk Check] C:\WINDOWS\chkdsk32_.exe
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Pasa] "C:\PROGRA~1\COMMON~1\ASKS~1\dllhost.exe" -vt yazb (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [Rclm] "C:\Program Files\M?crosoft.NET\n?tepad.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-1390067357-725345543-500\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\tscsn.exe (User 'Administrator')

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete this file:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\tscsn.exe

And this folder:

C:\Documents and Settings\Administrator\Application Data\WinTouch\

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Then please upload these files:

C:\Program Files\Words\Words.exe
C:\Program Files\Insider\Insider.exe

To either jotti or virustotal & post the results as a reply to this topic, along with a new HijackThis log and a description of any remaining problems




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users