Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have/had Anti-storm Spyware


  • This topic is locked This topic is locked
11 replies to this topic

#1 bigtrevdogg

bigtrevdogg

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 03:06 AM

i've read some of the other threads and tried to clean the computer from the advice that was given. i dib't think that i got it all because i still have the black screen displaying my ip address and an saying i have spyware. here is my log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:01 AM, on 11/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\System32\vvgeowbv.exe,C:\Windows\system32\userinit.exe,C:\Windows\System32\ntos.exe,
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [startdrv] C:\Windows\Temp\startdrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\Windows\System32\_svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\Windows\System32\_svchost.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 6253 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 08:07 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum bigtrevdogg :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1a;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Do not install Service Pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

Once you've completed the above,post a new Hijackthis log into this topic.
Posted Image
Posted Image

#3 bigtrevdogg

bigtrevdogg
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 11:03 AM

hello, richie.............thnx for getting back to me so fast!!!!!! well, here is the new hijackthis log after the install of sp1a.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:23 AM, on 11/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\System32\msiexec.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
F2 - REG:system.ini: UserInit=C:\Windows\System32\vvgeowbv.exe,C:\Windows\system32\userinit.exe,C:\Windows\System32\ntos.exe,
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [startdrv] C:\Windows\Temp\startdrv.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\Windows\System32\_svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101192904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101173764
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\Windows\System32\_svchost.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5881 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 03:10 PM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 bigtrevdogg

bigtrevdogg
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 04:16 PM

ComboFix 07-11-04.1 - Administrator 2007-11-03 16:07:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.307 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch
C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Insider
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Windows\7search.dll
C:\Windows\aconti.exe
C:\Windows\adbar.dll
C:\Windows\b122.exe
C:\Windows\cbinst$.exe
C:\Windows\daxtime.dll
C:\Windows\dobe~1
C:\Windows\dp0.dll
C:\Windows\eventlowg.dll
C:\Windows\fhfmm-Uninstaller.exe
C:\Windows\fhfmm.exe
C:\Windows\flt.dll
C:\Windows\hcwprn.exe
C:\Windows\hotporn.exe
C:\Windows\ie_32.exe
C:\Windows\iexplorr23.dll
C:\Windows\jd2002.dll
C:\Windows\kkcomp$.exe
C:\Windows\kkcomp.dll
C:\Windows\kkcomp.exe
C:\Windows\kvnab$.exe
C:\Windows\kvnab.dll
C:\Windows\kvnab.exe
C:\Windows\liqad$.exe
C:\Windows\liqad.dll
C:\Windows\liqad.exe
C:\Windows\liqui-Uninstaller.exe
C:\Windows\liqui.dll
C:\Windows\liqui.exe
C:\Windows\ngd.dll
C:\Windows\pbsysie.dll
C:\Windows\settn.dll
C:\Windows\spredirect.dll
C:\Windows\system32\4_exception.nls
C:\Windows\system32\drivers\blank.gif
C:\Windows\system32\drivers\box_1.gif
C:\Windows\system32\drivers\box_2.gif
C:\Windows\system32\drivers\box_3.gif
C:\Windows\system32\drivers\button_buynow.gif
C:\Windows\system32\drivers\button_freescan.gif
C:\Windows\system32\drivers\cell_bg.gif
C:\Windows\system32\drivers\cell_footer.gif
C:\Windows\system32\drivers\cell_header_block.gif
C:\Windows\system32\drivers\cell_header_remove.gif
C:\Windows\system32\drivers\cell_header_scan.gif
C:\Windows\system32\drivers\detect.htm
C:\Windows\system32\drivers\download_box.gif
C:\Windows\system32\drivers\download_btn.jpg
C:\Windows\system32\drivers\download_now_btn.gif
C:\Windows\system32\drivers\footer_back.jpg
C:\Windows\system32\drivers\header_1.gif
C:\Windows\system32\drivers\header_2.gif
C:\Windows\system32\drivers\header_3.gif
C:\Windows\system32\drivers\header_4.gif
C:\Windows\system32\drivers\header_red_bg.gif
C:\Windows\system32\drivers\header_red_free_scan.gif
C:\Windows\system32\drivers\header_red_free_scan_bg.gif
C:\Windows\system32\drivers\header_red_protect_your_pc.gif
C:\Windows\system32\drivers\infected.gif
C:\Windows\system32\drivers\main_back.gif
C:\Windows\system32\drivers\NdisWon.sys
C:\Windows\system32\drivers\perfect_cleaner_box.jpg
C:\Windows\system32\drivers\product_1_header.gif
C:\Windows\system32\drivers\product_1_name_small.gif
C:\Windows\system32\drivers\product_2_header.gif
C:\Windows\system32\drivers\product_2_name_small.gif
C:\Windows\system32\drivers\product_3_header.gif
C:\Windows\system32\drivers\product_3_name_small.gif
C:\Windows\system32\drivers\product_features.gif
C:\Windows\system32\drivers\pt.htm
C:\Windows\system32\drivers\rating.gif
C:\Windows\system32\drivers\s_detect.htm
C:\Windows\system32\drivers\screenshot.jpg
C:\Windows\system32\drivers\sep_hor.gif
C:\Windows\system32\drivers\sep_vert.gif
C:\Windows\system32\drivers\shadow.jpg
C:\Windows\system32\drivers\shadow_bg.gif
C:\Windows\system32\drivers\spacer.gif
C:\Windows\system32\drivers\spy_away_box.jpg
C:\Windows\system32\drivers\star.gif
C:\Windows\system32\drivers\star_gray.gif
C:\Windows\system32\drivers\star_gray_small.gif
C:\Windows\system32\drivers\star_small.gif
C:\Windows\system32\drivers\style.css
C:\Windows\system32\drivers\v.gif
C:\Windows\system32\drivers\warning_icon.gif
C:\Windows\system32\drivers\win_logo.gif
C:\Windows\system32\drivers\x.gif
C:\Windows\system32\gtv_sd.bin
C:\Windows\system32\kr_done1
C:\Windows\system32\RunOnce3.t__
C:\Windows\system32\RunOnce3.tmp
C:\Windows\system32\vxddsk.exe
C:\Windows\system32\wml.exe
C:\Windows\wbeCheck.exe
C:\Windows\wbeInst$.exe
C:\Windows\wml.exe
C:\Windows\xadbrk.dll
C:\Windows\xadbrk.exe
C:\Windows\xadbrk_.exe
C:\Windows\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFT_INTERNET_EXPLORER
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\Microsoft Internet Explorer


((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 16:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 16:06 <DIR> d-------- C:\Program Files\Java
2007-11-03 16:06 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-03 10:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-03 10:50 <DIR> d-------- C:\WINDOWS\ehome
2007-11-03 10:44 479,261 --------- C:\WINDOWS\system32\vbscript.dll
2007-11-03 10:44 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-11-03 10:44 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-11-03 10:44 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2007-11-03 10:44 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-11-03 10:44 48,640 --------- C:\WINDOWS\system32\vdmredir.dll
2007-11-03 10:44 16,384 --------- C:\WINDOWS\system32\watchdog.sys
2007-11-03 10:40 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-11-03 10:40 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2007-11-03 10:40 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-11-03 10:40 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-11-03 10:40 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-11-03 10:39 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll
2007-11-03 10:39 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2007-11-03 10:39 187,904 --------- C:\WINDOWS\system32\xpsp1res.dll
2007-11-03 10:39 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-11-03 10:39 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-11-03 10:39 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-11-03 10:39 33,808 --a------ C:\WINDOWS\system32\ntio.sys
2007-11-03 10:39 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-11-03 10:38 403,456 --------- C:\WINDOWS\system32\winbrand.dll
2007-11-03 10:38 218,112 --------- C:\WINDOWS\system32\sbe.dll
2007-11-03 10:38 110,080 --------- C:\WINDOWS\system32\sbeio.dll
2007-11-03 10:38 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2007-11-03 10:36 844,675 --------- C:\WINDOWS\system32\ati3d1ag.dll
2007-11-03 10:36 450,176 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-11-03 10:36 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-11-03 10:33 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-11-03 10:33 348,191 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-11-03 10:33 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-11-03 10:33 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2007-11-03 10:33 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-11-03 10:33 175,104 --a------ C:\WINDOWS\system32\mspmsp.dll
2007-11-03 10:33 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-11-03 10:33 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2007-11-03 10:32 1,503,262 --a------ C:\WINDOWS\system32\msjet40.dll
2007-11-03 10:32 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2007-11-03 10:32 348,195 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-11-03 10:32 241,695 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-11-03 10:32 229,888 --a------ C:\WINDOWS\system32\msieftp.dll
2007-11-03 10:32 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-11-03 10:32 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-11-03 10:32 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2007-11-03 10:32 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2007-11-03 10:30 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-11-03 10:30 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-11-03 10:30 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-11-03 10:30 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-11-03 10:30 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-11-03 10:30 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-11-03 10:22 545,792 --------- C:\WINDOWS\system32\wsecedit.dll
2007-11-03 10:22 231,936 --------- C:\WINDOWS\system32\tracerpt.exe
2007-11-03 10:22 73,728 --------- C:\WINDOWS\system32\tlntsess.exe
2007-11-03 10:22 67,584 --------- C:\WINDOWS\system32\tlntsvr.exe
2007-11-03 10:22 57,856 --------- C:\WINDOWS\system32\tlntadmn.exe
2007-11-03 10:22 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-11-03 10:22 7,168 --------- C:\WINDOWS\system32\tlntsvrp.dll
2007-11-03 10:19 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-11-03 10:16 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-11-03 10:16 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-11-03 10:16 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-11-03 10:15 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-11-03 10:15 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-11-03 10:15 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-11-03 10:15 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-11-03 10:15 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-11-03 10:15 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-11-03 10:15 5,120 --a------ C:\WINDOWS\system32\asferror.dll
2007-11-03 10:14 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-11-03 10:14 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-11-03 10:14 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-11-03 10:14 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-11-03 10:14 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-11-03 09:52 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-03 09:51 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-11-03 09:51 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2007-11-03 09:51 7,680 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-11-03 09:51 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-11-03 09:51 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-11-03 09:51 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-11-03 09:48 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-03 09:47 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-03 09:47 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-03 09:47 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-03 09:47 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-03 03:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-03 03:06 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-03 02:55 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-03 01:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-03 01:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 01:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-03 01:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-03 00:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-03 00:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-03 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 06:42 --------- d-----w C:\Program Files\Google
2007-11-03 02:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 01:20 --------- d-----w C:\Program Files\LimeWire
2007-10-23 03:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-09-07 23:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2007-09-07 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-08-31 23:56 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\System32\igfxtray.exe" [2002-04-24 14:28]
"HotKeysCmds"="C:\Windows\System32\hkcmd.exe" [2002-04-24 14:20]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 17:01]
"PROMon.exe"="PROMon.exe" [2002-03-25 10:36 C:\WINDOWS\system32\PROMon.exe]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 17:03]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\Windows\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-11-02 21:57:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\Windows\\System32\\vvgeowbv.exe,C:\\Windows\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\System32\Drivers\ClntMgmt.sys
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
R2 NMSSvc;Intel® NMS;C:\Windows\System32\NMSSvc.exe
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\Windows\System32\DRIVERS\WG11TND5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\Windows\System32\DNINDIS5.SYS
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\Windows\System32\drivers\NMSCFG.SYS
S4 enqueue;enqueue;C:\Windows\System32\enqueue.exe -k netsvcs

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - NMSCFG
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 16:10:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 16:10:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 02:40
C:\ComboFix3.txt ... 2007-11-03 00:07
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:37 PM, on 11/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101192904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101173764
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5663 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 04:37 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
Exit Hijackthis.

Download CCleaner to clear your temporary files.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
Uncheck "Cookies" under "Internet Explorer".
If you are running Firefox: , then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click Run Cleaner to run the program.
Caution:
It's not recommended to use the 'Issues' tab as it's known to find legitimate items.
Click Exit once CCleaner has done.

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Restart your pc.
Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 bigtrevdogg

bigtrevdogg
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 05:49 PM

i've done everything except for the f-scan. the computer will not let the window open for some reason to scan............i'm not sure whats going on. any ideas?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 05:58 PM

First make sure you're logged on to your pc as Administrator,or at least logged on using an account with administrators privileges.

Go here,download the Sysclean Package (3.2MB):
http://www.trendmicro.com/download/pattern-dcs.asp

Go here,download the latest Virus Pattern File for Windows (lpt809.zip) (24.8MB):
http://www.trendmicro.com/download/viruspattern.asp

Now create a new folder on your desktop,rename it Sysclean.
Now place the Sysclean Package inside that new folder.
Unzip/extract the Virus Pattern File to that new folder as well.

Close all open applications,and DISABLE your current antivirus software.
Open the Sysclean folder and double-click on sysclean.com to start the scan.
It will take some time to complete.
Be patient and let it clean whatever it finds.
Exit when done.

Open your Sysclean folder then copy and paste the contents of sysclean.log in your next reply.
Also post a new HijackThis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#9 bigtrevdogg

bigtrevdogg
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 07:19 PM

the computer seems to be running better now and i don't have anymore pop-up/ads.



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-11-04, 18:56:31, Auto-clean mode specified.
2007-11-04, 18:56:31, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN"...
2007-11-04, 18:56:46, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN" has finished running.
2007-11-04, 18:56:46, TSC Log:

2007-11-04, 18:56:48, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\*.*": Access is denied.
2007-11-04, 19:09:16, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2007 18:56:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 809 (250629 Patterns) (2007/11/01) (480900)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

C:\Program Files\Common Files\rfiw\rfiwd\vocabulary [TROJ_Generic]
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir [TROJ_AGENT.ZQT]
30524 files have been read.
30524 files have been checked.
27987 files have been scanned.
67191 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2007 19:09:16
---------*---------*---------*---------*---------*---------*---------*---------*
2007-11-04, 19:09:16, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2007 18:56:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 809 (250629 Patterns) (2007/11/01) (480900)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

Success Clean [ TROJ_Generic]( 1) from C:\Program Files\Common Files\rfiw\rfiwd\vocabulary
Success Clean [ TROJ_AGENT.ZQT]( 1) from C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
30524 files have been read.
30524 files have been checked.
27987 files have been scanned.
67191 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2007 19:09:16 12 minutes 17 seconds (737.06 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-11-04, 19:09:16, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2007 18:56:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 809 (250629 Patterns) (2007/11/01) (480900)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

30524 files have been read.
30524 files have been checked.
27987 files have been scanned.
67191 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2007 19:09:16 12 minutes 17 seconds (737.06 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-11-04, 19:09:16, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN" has finished running.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:14 PM, on 11/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101192904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194101173764
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5510 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 07:41 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

You should consider now going to Windows Update and get your pc right up to date.
Allow Windows Update to install Service Pack 2.
Note:
Just as a precautionary measure,make sure you followed the steps above regarding System Restore.
Posted Image
Posted Image

#11 bigtrevdogg

bigtrevdogg
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 03 November 2007 - 08:00 PM

thanks so much for all your help for getting this computer back into good shape............your da man..........peace.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 November 2007 - 08:12 PM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users