Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Spyware/malware Causing Popups


  • Please log in to reply
4 replies to this topic

#1 Valenti

Valenti

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 25 October 2007 - 06:59 PM

Hi. I've been trying everything possible to get rid of certain popups which keep popping up in firefox, but to no avail. I've tried RogueRemover, Superantispyware and Norton Antivirus. These popups include graphic popups from sex-explorer, dvd-explorer and others which tell me to download their own antispyware.

Here's my HJT log, but please spell it out for me as I don't have much computer knowledge. If this problem persists, I will have to wipe my whole computer and I really don't want to do that!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:56:31, on 26/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TorrentStorm\TorrentStorm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B09F04F8-A0BD-C977-3EDE-31644B64FC01} - C:\DOCUME~1\Stu\APPLIC~1\WAYCHI~1\dartdate.exe (file missing)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [thunk first setup army] C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST\show owns.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Hvmenyg] C:\Program Files\Geocvmw\Sani.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Bb8w] C:\WINDOWS\expfkqxd.exe
O4 - HKLM\..\Run: [4333f17f.exe] C:\WINDOWS\system32\4333f17f.exe
O4 - HKLM\..\Run: [j8291131] rundll32 C:\WINDOWS\system32\j8291131.dll sook
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\xjqslvge.dll",realset
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [iouk] C:\PROGRA~1\COMMON~1\iouk\ioukm.exe
O4 - HKCU\..\Run: [CAKE THIS] C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1\DebugInside.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Policies\Explorer\Run: [{FC219565-0A61-2057-1112-02081602002c}] "C:\Program Files\Common Files\{FC219565-0A61-2057-1112-02081602002c}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824AXGB
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://66.240.181.129/gs/gsa0395.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19aaad10636dd7...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133622391562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://ntlworld.oberon-media.com/online/on...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2729.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A85734B-221E-4CF6-B1CD-05F01ACA5583}: NameServer = 193.36.79.100 193.36.79.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A85734B-221E-4CF6-B1CD-05F01ACA5583}: NameServer = 193.36.79.100 193.36.79.101
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: csrlolly - C:\WINDOWS\SYSTEM32\csrlolly.dll
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 12411 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:43 PM

Posted 26 October 2007 - 05:18 AM

Hi, Wellcome to Bleeping Computer Forums!

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:43 PM

Posted 26 October 2007 - 11:13 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.

Note: In the process of cleaning your pc, there are some tools in use that are made for specific infections / groups of infections. These, or the files included in them, are sometimes flagged by Security Software and are, what we call false-positives. Please, during this removal instrucions, keep your antispywares, antivirus and firewall disabled.
It is important that you turn the guard back on once the cleaning process has finished, to make sure re-infection will be avoided.


1. It is important that your computer has an antivirus software running on your machine.
Your log doesn't show an antivirus software running. This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it.
You need to install an antivirus program as soon as you can and run a complete scan of the computer. Please download and install one of these good (and free) products:

Avira Antivir
Avast
AVG


Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.



2. Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\expfkqxd.exe
  • Click on the submit button
  • Also repeat for this file:
    • C:\WINDOWS\system32\4333f17f.exe
  • Please post the results in your next reply.
3. Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Valenti

Valenti
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 October 2007 - 06:54 PM

I tried loading the files on to Jotti's malware scan, but they just appear as "ready to scan".

During the combofix scan I had Avira loaded and I kept getting Trojan Horse messages during the process, so that made me worried.

ComboFix 07-10-23.2 - Stu 2007-10-27 0:37:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT 1:00]
Running from: C:\Documents and Settings\Stu\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\Documents and Settings\Stu\Application Data\macromedia\Flash Player\#SharedObjects\MY7LSBC8\www.broadcaster.com
C:\Documents and Settings\Stu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Stu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\companion wizard
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\SoftwareOnline
C:\Program Files\SoftwareOnline\SZVersionChecker.exe
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80
C:\WINDOWS\system32\aojxlbkh.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\mmljbksj.dat
C:\WINDOWS\system32\mmljbksj.exe
C:\WINDOWS\system32\mmljbksj_nav.dat
c:\WINDOWS\system32\mmljbksj_navps.dat
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.tmp
C:\WINDOWS\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\LEGACY_NWSAPAGENT
-------\Iprip
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-27 00:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 22:36 <DIR> d-------- C:\Program Files\Avira
2007-10-14 21:23 <DIR> d-------- C:\Program Files\avijoin
2007-10-13 22:40 <DIR> d-------- C:\Documents and Settings\Stu\Application Data\ForgottenRiddles
2007-10-13 22:39 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Mayan Princess
2007-10-13 22:34 <DIR> d-------- C:\Program Files\bfgclient
2007-10-13 18:55 31,232 --a------ C:\WINDOWS\system\vdremote.dll
2007-10-13 18:54 25,088 --a------ C:\WINDOWS\system\vdsvrlnk.dll
2007-10-10 16:19 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 22:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-08 22:53 <DIR> d-------- C:\Documents and Settings\Stu\Application Data\SUPERAntiSpyware.com
2007-10-08 21:28 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-08 19:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 23:49 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 23:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 23:49 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 23:49 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 23:49 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 23:49 5,212 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-05 23:27 <DIR> d-------- C:\Program Files\iTunes
2007-10-05 22:40 <DIR> d-------- C:\__eetemp
2007-10-05 22:06 <DIR> d-------- C:\Program Files\Evidence Eliminator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 22:47 --------- d-----w C:\Documents and Settings\Stu\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2007-10-21 21:22 --------- d-----w C:\Program Files\iPod
2007-10-10 21:24 --------- d-----w C:\Program Files\LimeWire
2007-10-08 21:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 21:43 --------- d-----w C:\Program Files\Symantec
2007-10-08 21:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-08 20:31 --------- d-----w C:\Program Files\Java
2007-10-08 19:17 --------- d-----w C:\Program Files\SearchRelevant
2007-10-08 19:17 --------- d-----w C:\Program Files\Power Scan
2007-10-08 18:21 --------- d-----w C:\Program Files\BFG
2007-10-05 21:17 --------- d-----w C:\Documents and Settings\Stu\Application Data\uTorrent
2007-09-24 20:54 --------- d-----w C:\Program Files\Trend Micro
2007-09-23 14:38 --------- d-----w C:\Program Files\RogueRemover FREE
2007-09-22 15:47 --------- d-----w C:\Program Files\DivX
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-09 23:07 --------- d-----w C:\Program Files\VideoLAN
2007-09-09 18:25 --------- d-----w C:\Documents and Settings\Stu\Application Data\vlc
2007-09-06 21:00 --------- d-----w C:\Program Files\Apple Software Update
2007-09-03 14:29 --------- d-----w C:\Documents and Settings\Stu\Application Data\PlayFirst
2007-09-03 13:25 --------- d-----w C:\Program Files\Mystery Case Files - Prime Suspects
2007-09-03 13:23 --------- d-----w C:\Program Files\Dream Chronicles
2007-09-03 02:18 --------- d-----w C:\Program Files\Mystery Case Files - Ravenhearst
2007-09-02 16:38 --------- d-----w C:\Documents and Settings\Stu\Application Data\Big Fish Games
2007-09-02 16:37 --------- d-----w C:\Program Files\Azada
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-31 22:46 66,068 ----a-w C:\WINDOWS\system32\cixcumoi.exe
2007-07-31 10:09 66,068 ----a-w C:\WINDOWS\system32\sttyiyni.exe
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 10:08 66,068 ----a-w C:\WINDOWS\system32\ruiscser.exe
2007-07-29 00:42 66,068 ----a-w C:\WINDOWS\system32\ibegxjyd.exe
2007-07-28 00:42 66,068 ----a-w C:\WINDOWS\system32\nyianihx.exe
2007-07-27 00:41 66,068 ----a-w C:\WINDOWS\system32\dvkjrghq.exe
2007-07-26 00:41 66,580 ----a-w C:\WINDOWS\system32\bobgwhls.dll
2007-07-26 00:40 66,068 ----a-w C:\WINDOWS\system32\fhmcapjf.exe
2004-04-09 15:13 114,688 -c--a-w C:\Program Files\NETGEAR DG632 USB Driveruninstalldrv.exe
2005-05-10 16:51:49 56 -csh--r C:\WINDOWS\system32\F694F4FDCD.sys
2006-12-11 20:55:14 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B09F04F8-A0BD-C977-3EDE-31644B64FC01}]
C:\DOCUME~1\Stu\APPLIC~1\WAYCHI~1\dartdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 02:10]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 02:24]
"WD Button Manager"="WDBtnMgr.exe" [2006-05-23 18:08 C:\WINDOWS\system32\WDBtnMgr.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-19 02:39]
"thunk first setup army"="C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST\show owns.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 17:26]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 17:26]
"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 17:25]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:31]
"Hvmenyg"="C:\Program Files\Geocvmw\Sani.exe" []
"Evidence Eliminator"="C:\Program Files\Evidence Eliminator\ee.exe" []
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 09:50]
"Bb8w"="C:\WINDOWS\expfkqxd.exe" []
"4333f17f.exe"="C:\WINDOWS\system32\4333f17f.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-26 22:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"iouk"="C:\PROGRA~1\COMMON~1\iouk\ioukm.exe" []
"CAKE THIS"="C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1\DebugInside.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csrlolly]
csrlolly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32]
wingdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Stu^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Stu\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\expfkqxd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\expfkqxd.exe

R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys
R3 TTNDISTB;Virtual STB-S/-C/-T Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\ttndistb.sys
S2 KC180;IRXpress USB IrDA Device;C:\WINDOWS\system32\Drivers\kcirusb.sys
S3 Cmdavc;Cmdavc;C:\WINDOWS\system32\drivers\nwlnkflt.sys
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys
S3 KCIRDA;%KCIRDA.ServiceDesc%;C:\WINDOWS\system32\DRIVERS\KCIrNet.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 TTDVBSTB;TTDVBSTB driver;C:\WINDOWS\system32\Drivers\TTDVBSTB.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 00:48:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 0:49:59 - machine was rebooted
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:54:05, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B09F04F8-A0BD-C977-3EDE-31644B64FC01} - C:\DOCUME~1\Stu\APPLIC~1\WAYCHI~1\dartdate.exe (file missing)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [thunk first setup army] C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST\show owns.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Hvmenyg] C:\Program Files\Geocvmw\Sani.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Bb8w] C:\WINDOWS\expfkqxd.exe
O4 - HKLM\..\Run: [4333f17f.exe] C:\WINDOWS\system32\4333f17f.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [iouk] C:\PROGRA~1\COMMON~1\iouk\ioukm.exe
O4 - HKCU\..\Run: [CAKE THIS] C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1\DebugInside.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824AXGB
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://66.240.181.129/gs/gsa0395.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19aaad10636dd7...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133622391562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://ntlworld.oberon-media.com/online/on...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2729.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A85734B-221E-4CF6-B1CD-05F01ACA5583}: NameServer = 193.36.79.101 193.36.79.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A85734B-221E-4CF6-B1CD-05F01ACA5583}: NameServer = 193.36.79.101 193.36.79.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: csrlolly - csrlolly.dll (file missing)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 12409 bytes



Thanks in advance for doing this.

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:43 PM

Posted 29 October 2007 - 06:12 AM

Hi

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Note: In the process of cleaning your pc, there are some tools in use that are made for specific infections / groups of infections. These, or the files included in them, are sometimes flagged by Security Software and are, what we call false-positives. Please, during this removal instrucions, keep your antispywares, antivirus and firewall disabled.
It is important that you turn the guard back on once the cleaning process has finished, to make sure re-infection will be avoided.


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present":

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [thunk first setup army] C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST\show owns.exe
O4 - HKLM\..\Run: [Bb8w] C:\WINDOWS\expfkqxd.exe
O4 - HKLM\..\Run: [4333f17f.exe] C:\WINDOWS\system32\4333f17f.exe
O4 - HKCU\..\Run: [iouk] C:\PROGRA~1\COMMON~1\iouk\ioukm.exe
O4 - HKCU\..\Run: [CAKE THIS] C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1\DebugInside.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824AXGB
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://66.240.181.129/gs/gsa0395.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O20 - Winlogon Notify: csrlolly - csrlolly.dll (file missing)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

Click on Posted Image button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



2. Click Start, then Run. (The Run dialog box appears)
Type, or copy and paste, the following text:

C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST\show owns.exe -uninstall

then click OK. (If a dialog box confirming this action appears, click OK.)

Repeat for:

C:\PROGRA~1\COMMON~1\iouk\ioukm.exe -uninstall
C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1\DebugInside.exe -uninstall




3. Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)


4. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.



5. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

Collect::
C:\WINDOWS\system32\ruiscser.exe
C:\WINDOWS\system32\ibegxjyd.exe
C:\WINDOWS\system32\nyianihx.exe
C:\WINDOWS\system32\dvkjrghq.exe
C:\WINDOWS\system32\bobgwhls.dll
C:\WINDOWS\system32\fhmcapjf.exe
C:\WINDOWS\system32\F694F4FDCD.sys
C:\WINDOWS\expfkqxd.exe
C:\WINDOWS\system32\4333f17f.exe
File::
C:\WINDOWS\system32\csrlolly.dll
C:\WINDOWS\system32\wingdm32.dll
Folder::
C:\Program Files\SearchRelevant
C:\DOCUME~1\Stu\APPLIC~1\WAYCHI~1
C:\Documents and Settings\All Users\Application Data\USERCOALTHUNKFIRST
C:\PROGRA~1\COMMON~1\iouk
C:\DOCUME~1\Stu\APPLIC~1\EXITKN~1
C:\Program Files\ISTsvc
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B09F04F8-A0BD-C977-3EDE-31644B64FC01}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"thunk first setup army"=-
"Bb8w"=-
"4333f17f.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iouk"=-
"CAKE THIS"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csrlolly]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Stu^Start Menu^Programs^Startup^.protected]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:]

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users