Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newwin32 Virus


  • Please log in to reply
2 replies to this topic

#1 marscaver

marscaver

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 16 October 2007 - 01:01 PM

McAfee says have NewWin32 Virus in C:/program files/Avanques/Fix-it
Need some help to remove as not been able to..Thanks for the time and trouble :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:54 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\CachemanXP\CachemanXP.exe
C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache

Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache

Group\Apache2\bin\apache.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\WiredPlane\WireChanger\WireChanger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program

Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - (no

file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} -

C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\virusscan\scriptcl.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} -

C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar -

{2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} -

C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA

Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\Program Files\Avanquest\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program

Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\Avanquest\Fix-It\MemCheck.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA

Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: WireChanger.lnk = C:\Program

Files\WiredPlane\WireChanger\WireChanger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel -

{2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel -

{2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0294741186933410)

(0294741186933410mcinstcleanup) - Unknown owner -

C:\PROGRA~1\COMMON~1\McAfee\Installer\cleanup.ini.exe (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH -

c:\program files\a-squared free\a2service.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech -

C:\PROGRA~1\CachemanXP\CachemanXP.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. -

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. -

C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner

- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache

Software Foundation - C:\Program Files\NVIDIA

Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program

Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program

files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program

Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program

Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA

Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner -

C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program

Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9723 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 04:00 AM

Hi marscaver and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Another Note:
Mcafee will flag ComboFix while its running,if you get a prompt,please allow the script to run.

Edited by Cretemonster, 17 October 2007 - 04:04 AM.


#3 marscaver

marscaver
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 October 2007 - 01:50 PM

Really thanks very much for your help... :thumbsup:

Combofix log, then HijackThis Log...both new as of 10-19-07


ComboFix 07-10-17.8@ - Don 2007-10-19 13:23:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1404 [GMT -5:00]
Running from: C:\Documents and Settings\Don\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\winsys.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-19 13:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 06:00 <DIR> d-------- C:\WINDOWS\speech
2007-10-18 06:00 <DIR> d-------- C:\WINDOWS\lhsp
2007-10-17 17:42 <DIR> d-------- C:\Program Files\QuoteTracker
2007-10-16 12:19 <DIR> d-------- C:\Program Files\Hijack this
2007-10-16 10:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-12 08:00 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-09 16:15 <DIR> d-------- C:\Program Files\CachemanXP
2007-10-09 08:55 <DIR> d-------- C:\Program Files\Backup Expert
2007-10-09 08:55 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Backup Expert
2007-10-08 23:53 <DIR> d-------- C:\Program Files\WinPcap
2007-10-07 09:03 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-10-05 15:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2007-10-05 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-05 15:38 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Avanquest
2007-10-05 15:38 <DIR> dr-hs---- C:\_Backup.RC
2007-10-05 15:38 <DIR> d--h----- C:\_Backup
2007-10-05 15:36 <DIR> d-------- C:\Program Files\Avanquest
2007-10-04 11:04 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-10-04 11:04 <DIR> d-------- C:\NVIDIA
2007-10-03 12:45 129,024 --a------ C:\WINDOWS\system32\AVERM.dll
2007-10-03 12:45 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2007-10-03 12:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-03 08:30 <DIR> d-------- C:\Program Files\SecondLife
2007-10-03 06:04 <DIR> d-------- C:\Program Files\Rocket Division Software
2007-10-03 06:04 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-03 06:04 84,736 --a------ C:\WINDOWS\system32\drivers\StarPortLite.sys
2007-10-02 06:43 <DIR> d-------- C:\Program Files\Sytexis Software
2007-10-02 06:42 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Sytexis Software
2007-09-30 17:15 <DIR> d-------- C:\Program Files\ASUS
2007-09-30 17:15 24,576 --a------ C:\WINDOWS\system32\AsIO.dll
2007-09-30 17:15 12,664 --a------ C:\WINDOWS\system32\drivers\AsIO.sys
2007-09-30 17:15 12,096 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2007-09-30 17:15 10,304 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2007-09-28 09:55 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-26 15:06 <DIR> d-------- C:\Program Files\ASTRA32
2007-09-24 05:51 <DIR> d-------- C:\Program Files\Advanced Registry Doctor
2007-09-23 22:33 <DIR> d-------- C:\Documents and Settings\Don\Application Data\AptEdit
2007-09-20 09:25 23,916,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-20 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-19 05:58 <DIR> d-------- C:\Program Files\Driver Magician
2007-09-19 05:58 110,602 --a------ C:\WINDOWS\system32\xcdsfx32.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 18:31 --------- d-----w C:\Program Files\Prevx2
2007-10-19 18:29 --------- d-----w C:\Documents and Settings\Don\Application Data\WireChanger
2007-10-19 18:25 266,504 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-19 18:18 --------- d-----w C:\Program Files\TextAloud
2007-10-19 16:44 --------- d-----w C:\Program Files\BOINC
2007-10-19 14:35 --------- d-----w C:\Program Files\a-squared Free
2007-10-18 10:31 --------- d-----w C:\Documents and Settings\Don\Application Data\Prevx
2007-10-18 10:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-09 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-09 14:01 --------- d-----w C:\Program Files\SpeedFan
2007-10-07 10:50 --------- d-----w C:\Program Files\Java
2007-10-06 03:02 --------- d-----w C:\Program Files\InControl
2007-10-05 23:46 --------- d-----w C:\Program Files\Media Resizer PRO
2007-10-05 20:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-21 14:18 --------- d-----w C:\Documents and Settings\Don\Application Data\VCOM
2007-09-19 01:54 --------- d-----w C:\Program Files\Registry Easy
2007-09-19 00:07 --------- d-----w C:\Program Files\Cablenut
2007-09-18 14:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Talkback
2007-09-18 13:26 --------- d-----w C:\Program Files\RMClock
2007-09-16 23:06 --------- d-----w C:\Program Files\Western Digital
2007-09-16 21:43 --------- d-----w C:\Program Files\Wondershare
2007-09-16 21:41 --------- d-----w C:\Program Files\AVS4YOU
2007-09-16 21:36 --------- d-----w C:\Program Files\Total Network Inventory
2007-09-16 21:34 --------- d-----w C:\Program Files\Nufsoft
2007-09-16 03:42 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Talkback
2007-09-16 02:44 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-09-14 22:06 --------- d-----w C:\Program Files\Bethesda Softworks
2007-09-14 20:12 --------- d-----w C:\Program Files\SiteAdvisor
2007-09-14 20:12 --------- d-----w C:\Program Files\Realtek
2007-09-14 20:12 --------- d-----w C:\Program Files\iTunes
2007-09-14 20:12 --------- d-----w C:\Program Files\iPod
2007-09-14 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-09-14 20:11 --------- d-----w C:\Program Files\WinClamAVShield
2007-09-14 20:11 --------- d-----w C:\Program Files\NVTweak
2007-09-14 20:11 --------- d-----w C:\Documents and Settings\Don\Application Data\Spyware Terminator
2007-09-14 04:34 --------- d-----w C:\Documents and Settings\Don\Application Data\SiteAdvisor
2007-09-08 12:47 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2007-09-07 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-06 21:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-01 12:56 --------- d-----w C:\Documents and Settings\Don\Application Data\SecondLife
2007-08-31 17:41 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-25 21:55 262,144 ----a-w C:\WINDOWS\system32\HookMAp.dll
2007-07-25 21:54 266,240 ----a-w C:\WINDOWS\system32\HookShield.dll
2007-07-25 21:20 1,748,992 ----a-w C:\WINDOWS\system32\msicpl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

C:\Documents and Settings\Don\Start Menu\Programs\Startup\
WireChanger.lnk - C:\Program Files\WiredPlane\WireChanger\WireChanger.exe [2007-05-27 08:52:21]

C:\Documents and Settings\Don\Start Menu\Programs\Startup\
WireChanger.lnk - C:\Program Files\WiredPlane\WireChanger\WireChanger.exe [2007-05-27 08:52:21]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

.
Contents of the 'Scheduled Tasks' folder
"2007-06-16 06:01:08 C:\WINDOWS\Tasks\Don backup.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-06-16 06:26:45 C:\WINDOWS\Tasks\Don scan and fix.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-08-12 15:43:19 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-08-12 15:43:18 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 13:26:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 13:34:51 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2007-10-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\WiredPlane\WireChanger\WireChanger.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptcl.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: 2nd &Speech Center - {CFE40ED8-564E-4693-A9D9-80DB70C8E460} - E:\PROGRA~1\2nd Speech Center\tts4ie.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\Program Files\Avanquest\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\Avanquest\Fix-It\MemCheck.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: WireChanger.lnk = C:\Program Files\WiredPlane\WireChanger\WireChanger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0294741186933410) (0294741186933410mcinstcleanup) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\Installer\cleanup.ini.exe (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CachemanXP\CachemanXP.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\Avanquest\Fix-It\mxtask.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9595 bytes

Edited by TMacK, 19 October 2007 - 01:59 PM.
Mod Edit: Merged New topic created in with this Thread~TMacK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users