Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtuamonde (and A Host Of Other Things)


  • This topic is locked This topic is locked
18 replies to this topic

#1 skoolyardpunk

skoolyardpunk

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 19 October 2007 - 03:21 AM

When i turned my computer on i noticed that all of my startup programs had been corrupted or deleted. I can no longer even open internet explorer anymore.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:51 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://z6.invisionfree.com/distortional_addict
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Update 5370C] C:\sj666\hpupdate.exe 5370C+
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA1010] command /c del "C:\WINDOWS\system32\winuqw32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9384] cmd /c del "C:\WINDOWS\system32\winuqw32.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7560] command /c del "C:\WINDOWS\system32\winuqw32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1446] cmd /c del "C:\WINDOWS\system32\winuqw32.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk788YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.27/uploader2.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E04E97-A5A0-4587-B3D5-4F35A2FAADB6}: NameServer = 205.152.37.23,205.152.144.23
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - http://pics.ebaystatic.com/aw/pics/hp/imgHPTagExpnd.jpg

--
End of file - 7008 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 20 October 2007 - 05:46 PM

Hello skoolyardpunk,

Any idea where you go whataboutadog from?


Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 20 October 2007 - 06:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 21 October 2007 - 02:20 AM

I actually got it while looking for a patch for AnyDVD. I forget the site i got it from. But i think i extracted a file called keygen.exe and thats when all hell broke loose. It was one of the first few sites i was linked to when i googled anydvd patch.

Here's the log you asked for:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 10/21/2007
The current time is: 3:14:30.82


bak folders found
~~~~~~~~~~~


Directory of C:\SJ666\BAK

02/08/2002 02:14 PM 32,768 hpupdate.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\AIM6\BAK

04/27/2007 05:17 PM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 12:51 PM 118,784 hkcmd.exe
02/10/2004 12:55 PM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

09/20/2007 10:01 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

09/14/2007 05:25 AM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

07/03/2001 09:11 AM 57,344 hpgs2wnd.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\SLYSOFT\ANYDVD\BAK

10/18/2007 07:28 AM 497,152 AnyDVD.exe
1 File(s) 497,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/21/2007 02:07 AM 185,632 realsched.exe
1 File(s) 185,632 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 18 2007 "C:\sj666\hpupdate.exe"
32768 Feb 8 2002 "C:\sj666\bak\hpupdate.exe"
50528 Sep 29 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\bak\aim6.exe"
26636 Oct 18 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
51422520 Sep 27 2007 "C:\Documents and Settings\Owner\My Documents\iTunes742Setup.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 27 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
359986 Sep 27 2007 "C:\Documents and Settings\Owner\Local Settings\Temp\iTunesPluginWinSetup_2.0.13.0.exe"
116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
26636 Oct 18 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
26636 Oct 18 2007 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
26636 Oct 18 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
52272 Sep 20 2007 "C:\Program Files\Google\googletoolbar1user.exe"
26636 Oct 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1145896 Sep 21 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Sep 20 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
68856 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
421888 Oct 19 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
26636 Oct 18 2007 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
57344 Jul 3 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
26636 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
497152 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
26636 Oct 18 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Sep 21 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 21 October 2007 - 11:30 AM

Hi skoolyardpunk,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\sj666\bak\hpupdate.exe"
"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 21 October 2007 - 07:27 PM

Did what you asked, here's the log:



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/21/2007
The current time is: 20:25:08.37


bak folders found
~~~~~~~~~~~


Directory of C:\SJ666\BAK

02/08/2002 02:14 PM 32,768 hpupdate.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\AIM6\BAK

04/27/2007 05:17 PM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 12:51 PM 118,784 hkcmd.exe
02/10/2004 12:55 PM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

09/20/2007 10:01 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

09/14/2007 05:25 AM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

07/03/2001 09:11 AM 57,344 hpgs2wnd.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\SLYSOFT\ANYDVD\BAK

10/18/2007 07:28 AM 497,152 AnyDVD.exe
1 File(s) 497,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/21/2007 02:07 AM 185,632 realsched.exe
1 File(s) 185,632 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 Feb 8 2002 "C:\sj666\hpupdate.exe"
32768 Feb 8 2002 "C:\sj666\bak\hpupdate.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\bak\aim6.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
51422520 Sep 27 2007 "C:\Documents and Settings\Owner\My Documents\iTunes742Setup.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 27 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
359986 Sep 27 2007 "C:\Documents and Settings\Owner\Local Settings\Temp\iTunesPluginWinSetup_2.0.13.0.exe"
116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
52272 Sep 20 2007 "C:\Program Files\Google\googletoolbar1user.exe"
26636 Oct 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1145896 Sep 21 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Sep 20 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
68856 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
421888 Oct 19 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
57344 Jul 3 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
57344 Jul 3 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
497152 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
497152 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
185632 Sep 21 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Sep 21 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 21 October 2007 - 09:04 PM

Hi skoolyardpunk,

Looks like they are were restored but one file, so we will run it again.

Make sure you copy and paste exactly as I have it listed. DO NOT take out the " around the file name or it will not restore the file.

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.

Edited by SifuMike, 21 October 2007 - 09:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 21 October 2007 - 10:58 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/21/2007
The current time is: 23:56:05.35


bak folders found
~~~~~~~~~~~


Directory of C:\SJ666\BAK

02/08/2002 02:14 PM 32,768 hpupdate.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\AIM6\BAK

04/27/2007 05:17 PM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 12:51 PM 118,784 hkcmd.exe
02/10/2004 12:55 PM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

09/20/2007 10:01 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

09/14/2007 05:25 AM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

07/03/2001 09:11 AM 57,344 hpgs2wnd.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\SLYSOFT\ANYDVD\BAK

10/18/2007 07:28 AM 497,152 AnyDVD.exe
1 File(s) 497,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/21/2007 02:07 AM 185,632 realsched.exe
1 File(s) 185,632 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 Feb 8 2002 "C:\sj666\hpupdate.exe"
32768 Feb 8 2002 "C:\sj666\bak\hpupdate.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\bak\aim6.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
51422520 Sep 27 2007 "C:\Documents and Settings\Owner\My Documents\iTunes742Setup.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 27 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
359986 Sep 27 2007 "C:\Documents and Settings\Owner\Local Settings\Temp\iTunesPluginWinSetup_2.0.13.0.exe"
116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\10300\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
52272 Sep 20 2007 "C:\Program Files\Google\googletoolbar1user.exe"
68856 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1145896 Sep 21 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Sep 20 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
68856 Sep 20 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
421888 Oct 19 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
57344 Jul 3 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
57344 Jul 3 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
497152 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
497152 Oct 18 2007 "C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe"
185632 Sep 21 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Sep 21 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 22 October 2007 - 12:13 PM

Hi skoolyardpunk,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\sj666\bak
C:\Program Files\AIM6\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\SlySoft\AnyDVD\bak
C:\Program Files\Common Files\Real\Update_OB\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 22 October 2007 - 07:18 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/22/2007
The current time is: 20:15:39.90


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 22 October 2007 - 10:47 PM

skoolyardpunk,

Please double-click the FindAWF icon once again
This time we are going to remove one folder.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\MESSENGER\BAK

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 22 October 2007 - 10:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 23 October 2007 - 06:09 AM

Looks like they're all gone.

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/23/2007
The current time is: 7:08:11.28


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 23 October 2007 - 11:55 AM

Hi skoolyardpunk,

Great! :thumbsup:

Now we run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT




If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your Antivirus and scanner and redownload Combofix again. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 23 October 2007 - 08:20 PM

Combofix log....

ComboFix 07-10-23.1 - Owner 2007-10-23 21:08:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvcimr.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-23 20:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 03:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-19 01:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-19 01:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-18 07:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SlySoft
2007-10-18 07:02 <DIR> d-------- C:\Program Files\SlySoft
2007-10-18 05:56 162,304 --a------ C:\UNWISE.EXE
2007-10-17 07:33 <DIR> d-------- C:\Program Files\Project64 1.6
2007-10-14 22:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-14 22:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-14 22:23 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 22:15 <DIR> dr-h----- C:\MSOCache
2007-10-08 20:22 <DIR> d-------- C:\Program Files\LucasArts
2007-09-30 18:10 <DIR> d-------- C:\Program Files\Audacity
2007-09-28 09:50 <DIR> d-------- C:\Program Files\Bonjour
2007-09-28 09:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ruckus Network
2007-09-28 09:49 <DIR> d-------- C:\Program Files\Ruckus Player
2007-09-27 13:50 <DIR> d-------- C:\Program Files\iTunes
2007-09-27 13:50 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 12:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 11:00 --------- d-----w C:\Program Files\Soulseek
2007-10-23 00:15 --------- d-----w C:\Program Files\QuickTime
2007-10-23 00:15 --------- d-----w C:\Program Files\AIM6
2007-10-19 08:24 --------- d-----w C:\Program Files\Viewpoint
2007-10-19 07:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-09-30 19:53 --------- d-----w C:\Program Files\DivX
2007-09-27 17:50 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 21:39 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo!
2007-09-23 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-09-22 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2007-09-22 05:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-21 06:07 --------- d-----w C:\Program Files\Real
2007-09-21 06:07 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-21 06:07 --------- d-----w C:\Program Files\Common Files\Real
2007-09-21 01:39 --------- d-----w C:\Program Files\JetAudio
2007-09-21 01:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-09-21 01:16 --------- d-----w C:\Program Files\Last.fm
2007-09-21 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-09-21 00:40 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-21 00:21 --------- d-----w C:\Program Files\Google
2007-09-19 12:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-19 12:44 --------- d-----w C:\Program Files\Transparent
2007-09-19 12:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-19 12:43 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-19 12:39 --------- d-----w C:\Program Files\VideoLAN
2007-09-19 12:38 --------- d-----w C:\Program Files\ACD Systems
2007-09-19 12:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-09-19 12:32 --------- d-----w C:\Program Files\Picasa2
2007-09-18 12:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-09-11 16:31 3,080 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-09-11 04:08 --------- d-----w C:\Program Files\Hewlett-Packard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 12:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 12:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-19 03:15]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" []
"HP Update 5370C"="C:\sj666\hpupdate.exe" [2002-02-08 14:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-21 02:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 22:01]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-18 07:28]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]
winuqw32.dll

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d790af54-612b-11dc-b8d5-000f1f7af35c}]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d790af62-612b-11dc-b8d5-000f1f7af35c}]
AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 21:12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 21:13:40 - machine was rebooted
.
--- E O F ---





Hijack this log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:18 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\sj666\hpupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://z6.invisionfree.com/distortional_addict
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Update 5370C] C:\sj666\hpupdate.exe 5370C+
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk788YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.27/uploader2.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E04E97-A5A0-4587-B3D5-4F35A2FAADB6}: NameServer = 205.152.37.23,205.152.144.23
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://pics.ebaystatic.com/aw/pics/hp/imgHPTagExpnd.jpg

--
End of file - 7088 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:29 PM

Posted 23 October 2007 - 09:25 PM

Hi skoolyardpunk,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Reboot your computer.

*******************************************


I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

When everything is done and your log is clean again, you can enable it again.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O8 - Extra context menu item: &Search - ?p=ZNxmk788YYUS
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)


If you do not want this image on your desktop, then fix it.
O24 - Desktop Component 0: (no name) - http://pics.ebaystatic.com/aw/pics/hp/imgHPTagExpnd.jpg


These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
(Description: Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. This task does not actually need to be installed as a startup since iTunes starts it up anyway when it needs it. Let iTunes start it up whenever it needs to, particularly since it has a history of occasionally conflicting with other software and it uses nearly 6Mb of memory. )

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\Program Files\Viewpoint

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 skoolyardpunk

skoolyardpunk
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 24 October 2007 - 04:35 AM

ComboFix 07-10-23.1 - Owner 2007-10-24 5:28:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-23 20:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 03:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-19 01:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-19 01:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-18 07:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SlySoft
2007-10-18 07:02 <DIR> d-------- C:\Program Files\SlySoft
2007-10-18 05:56 162,304 --a------ C:\UNWISE.EXE
2007-10-17 07:33 <DIR> d-------- C:\Program Files\Project64 1.6
2007-10-14 22:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-14 22:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-14 22:23 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 22:15 <DIR> dr-h----- C:\MSOCache
2007-10-08 20:22 <DIR> d-------- C:\Program Files\LucasArts
2007-09-30 18:10 <DIR> d-------- C:\Program Files\Audacity
2007-09-28 09:50 <DIR> d-------- C:\Program Files\Bonjour
2007-09-28 09:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ruckus Network
2007-09-28 09:49 <DIR> d-------- C:\Program Files\Ruckus Player
2007-09-27 13:50 <DIR> d-------- C:\Program Files\iTunes
2007-09-27 13:50 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 08:18 --------- d-----w C:\Program Files\Soulseek
2007-10-23 12:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 00:15 --------- d-----w C:\Program Files\QuickTime
2007-10-23 00:15 --------- d-----w C:\Program Files\AIM6
2007-10-19 07:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-09-30 19:53 --------- d-----w C:\Program Files\DivX
2007-09-27 17:50 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 21:39 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo!
2007-09-23 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-09-22 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2007-09-22 05:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-21 06:07 --------- d-----w C:\Program Files\Real
2007-09-21 06:07 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-21 06:07 --------- d-----w C:\Program Files\Common Files\Real
2007-09-21 01:39 --------- d-----w C:\Program Files\JetAudio
2007-09-21 01:16 --------- d-----w C:\Program Files\Last.fm
2007-09-21 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-09-21 00:40 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-21 00:21 --------- d-----w C:\Program Files\Google
2007-09-19 12:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-19 12:44 --------- d-----w C:\Program Files\Transparent
2007-09-19 12:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-19 12:43 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-19 12:39 --------- d-----w C:\Program Files\VideoLAN
2007-09-19 12:38 --------- d-----w C:\Program Files\ACD Systems
2007-09-19 12:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-09-19 12:32 --------- d-----w C:\Program Files\Picasa2
2007-09-18 12:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 16:31 3,080 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-09-11 04:08 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 12:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-19 03:15]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"HP Update 5370C"="C:\sj666\hpupdate.exe" [2002-02-08 14:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 22:01]
"Aim6"="" []

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d790af54-612b-11dc-b8d5-000f1f7af35c}]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d790af62-612b-11dc-b8d5-000f1f7af35c}]
AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 05:30:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 5:31:28
C:\ComboFix2.txt ... 2007-10-23 21:13
.
--- E O F ---


Hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:58 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\sj666\hpupdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://z6.invisionfree.com/distortional_addict
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Update 5370C] C:\sj666\hpupdate.exe 5370C+
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.27/uploader2.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E04E97-A5A0-4587-B3D5-4F35A2FAADB6}: NameServer = 205.152.37.23,205.152.144.23
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5484 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users