Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Darksma, Kastem Infections & Highjackthis Log


  • Please log in to reply
9 replies to this topic

#1 Banano

Banano

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 05 November 2007 - 11:28 PM

I've done everything recommended in the Preparation Guide, along with using programs VundoFix and VirtumondoBeGone to remove infections, but CA Antivirus software keeps popping up occasional infections, particularly kastem.ap and darksma.sp. Internet Explorer is very slow and quits after 5 minutes of use, and computer speed in general seems to have been affected. Below is my HijackThis log, I'd appreciate any help I can get so I don't have to pay a technician to fix it for me. Thanks!

Banano

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:19 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [shovqval] rundll32.exe "C:\Program Files\shovqval\qfalihqd.dll",Init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lahyrqbo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lahyrqbo.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [ezilefkv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ezilefkv.dll"
O4 - HKLM\..\Run: [f47e72a3] rundll32.exe "C:\WINDOWS\system32\cnijumth.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188882958109
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 9839 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 06 November 2007 - 06:29 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Banano :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Banano

Banano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 November 2007 - 09:03 AM

Alrighty, did that. Combofix ran into a quick snag after the scan and reboot when creating a log file, when my processes began loading up again, but I don't think it made any effect besides a pause in log file creation. Here's the log file and another HijackThis log. What now?
------------------------------------------------------------

ComboFix 07-11-06.5 - Jenny 2007-11-07 0:38:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.505 [GMT 11:00]
Running from: C:\Documents and Settings\Jenny\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ezilefkv.dll
C:\Documents and Settings\Jenny\Favorites\Online Security Guide.lnk
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\SecCenter\scprot4.exe.bak
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\fkmdvbtn
C:\WINDOWS\system32\fkmdvbtn\bg1.gif
C:\WINDOWS\system32\fkmdvbtn\bgtop.gif
C:\WINDOWS\system32\fkmdvbtn\bottom1.gif
C:\WINDOWS\system32\fkmdvbtn\essentials.gif
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn1.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn2.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn3.exe
C:\WINDOWS\system32\fkmdvbtn\icon1.ico
C:\WINDOWS\system32\fkmdvbtn\install1.gif
C:\WINDOWS\system32\fkmdvbtn\left1.gif
C:\WINDOWS\system32\fkmdvbtn\li.gif
C:\WINDOWS\system32\fkmdvbtn\logo.gif
C:\WINDOWS\system32\fkmdvbtn\main.htm
C:\WINDOWS\system32\fkmdvbtn\mainframe.htm
C:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
C:\WINDOWS\system32\fkmdvbtn\right1.gif
C:\WINDOWS\system32\fkmdvbtn\s1.htm
C:\WINDOWS\system32\fkmdvbtn\s2.htm
C:\WINDOWS\system32\fkmdvbtn\s3.htm
C:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
C:\WINDOWS\system32\fkmdvbtn\top1.gif
C:\WINDOWS\system32\fkmdvbtn\top2.gif
C:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
C:\WINDOWS\system32\fkmdvbtn\turnon1.gif
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\gjllm.tmp
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\ozjelkhp.dllbox
C:\WINDOWS\system32\urkfnlhm.dll
C:\WINDOWS\system32\winetn32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-07 00:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 00:05 87,104 --a------ C:\WINDOWS\system32\gqeslhnr.dll
2007-11-07 00:02 81,472 --a------ C:\WINDOWS\system32\mvxmblms.dll
2007-11-06 15:11 83,008 --a------ C:\WINDOWS\system32\fvexudxk.dll
2007-11-06 15:05 85,568 --a------ C:\WINDOWS\system32\cnijumth.dll
2007-11-05 23:49 83,008 --a------ C:\WINDOWS\system32\siutxaji.dll
2007-11-05 23:46 85,568 --a------ C:\WINDOWS\system32\coywwihv.dll
2007-11-05 11:03 <DIR> d-------- C:\Program Files\Hktftqud
2007-11-04 23:51 78,912 --a------ C:\WINDOWS\system32\dabglbgs.dll
2007-11-03 23:48 81,472 --a------ C:\WINDOWS\system32\cwatgehc.dll
2007-11-03 16:29 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-03 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 00:34 <DIR> d-------- C:\Program Files\Gyhpnzrq
2007-11-02 12:07 35,328 --a------ C:\WINDOWS\system32\awttroo.dll.vir
2007-11-02 12:06 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll
2007-11-02 12:06 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-11-01 21:58 <DIR> d-------- C:\Program Files\iTunes
2007-11-01 21:54 <DIR> d-------- C:\Program Files\QuickTime
2007-11-01 21:48 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-11-01 21:09 51,422,520 --a------ C:\Documents and Settings\Liam\iTunes743Setup.exe
2007-11-01 10:51 <DIR> d-------- C:\Program Files\Opjtqowd
2007-10-31 14:23 <DIR> d-------- C:\VundoFix Backups
2007-10-31 14:19 35,840 --a------ C:\WINDOWS\system32\urqonon.dll
2007-10-28 12:14 <DIR> d-------- C:\Program Files\Acesoft
2007-10-28 12:14 277,504 --a------ C:\WINDOWS\system32\oestore.dll
2007-10-28 11:45 <DIR> d-------- C:\Program Files\Easy SystemCleaner
2007-10-25 14:19 <DIR> d-------- C:\Program Files\Rsqasjzm
2007-10-25 14:14 36,352 --a------ C:\WINDOWS\system32\xxyyawv.dll
2007-10-25 14:12 <DIR> d-------- C:\Program Files\shovqval
2007-10-22 21:57 <DIR> d-------- C:\Program Files\CloneDVD
2007-10-14 15:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 22:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 10:58 --------- d-----w C:\Program Files\iPod
2007-11-01 10:50 --------- d-----w C:\Program Files\Apple Software Update
2007-10-31 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 00:46 --------- d-----w C:\Program Files\Lavasoft
2007-10-30 12:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 10:58 39,488 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-22 10:13 81,920 ----a-w C:\Documents and Settings\Jenny\Application Data\ezpinst.exe
2007-10-22 10:13 47,360 ----a-w C:\Documents and Settings\Jenny\Application Data\pcouffin.sys
2007-10-22 10:13 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Vso
2007-10-15 05:57 --------- d-----w C:\Program Files\FinePixViewer
2007-10-08 11:50 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-04 13:49 --------- d-----w C:\Program Files\Java
2007-10-03 13:49 --------- d-----w C:\Documents and Settings\Jenny\Application Data\FUJIFILM
2007-10-03 13:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 13:43 --------- d-----w C:\Program Files\PIXELA
2007-10-03 13:38 --------- d-----w C:\Program Files\REGSHAVE
2007-09-27 00:01 --------- d-----w C:\Program Files\LimeWire
2007-09-04 05:47 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-09-04 05:47 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-08-28 14:30 13,416,432 ----a-w C:\Documents and Settings\Liam\Google_Earth_BZXV.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-24 01:25 0 ----a-w C:\Documents and Settings\Liam\iTunesSetup.exe
2007-05-24 13:34 32,872 ----a-w C:\Documents and Settings\Jenny\Application Data\GDIPFONTCACHEV1.DAT
2006-07-31 09:11 11,425,622 ----a-w C:\Documents and Settings\Liam\GP5DEMO.exe
2006-06-26 07:00 604 ---ha-w C:\Program Files\STLL Notifier
2006-06-23 05:04 11,817,800 ----a-w C:\Documents and Settings\Liam\GoogleEarth-0762.exe
2004-08-09 13:30 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
2007-11-03 00:34 106496 --a------ C:\Program Files\Gyhpnzrq\rwcleenc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{391B174C-A6B7-C9D7-6743-01F7A0D663D6}]
2007-11-05 11:03 106496 --a------ C:\Program Files\Hktftqud\ygbutqpu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b11cc7d3-b5db-4e39-8054-e58fe095ce84}]
2007-11-07 00:02 81472 --a------ C:\WINDOWS\system32\mvxmblms.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iamapp"="C:\Program Files\Norton Personal Firewall\IAMAPP.EXE" [2001-04-18 10:32]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2004-09-06 13:50]
"LTWinModem1"="ltmsg.exe" [2001-04-03 10:38 C:\WINDOWS\system32\ltmsg.exe]
"nwiz"="nwiz.exe" [2005-11-11 14:47 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 14:47]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 22:29]
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2007-04-30 11:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 03:00]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 02:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 15:52]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 14:47]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 19:00]
"RegistryMechanic"="" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"f47e72a3"="C:\WINDOWS\system32\gqeslhnr.dll" [2007-11-07 00:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-10-04 00:39:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{806E1CA8-2B65-45B5-B1D4-C42EF388E119}"= C:\WINDOWS\system32\urqonon.dll [2007-10-31 14:19 35840]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlljg.dll

R2 NISDRV;NISDRV;\??\C:\WINDOWS\System32\Drivers\NISDRV.SYS
R2 NISSERV;Norton Personal Firewall Service;C:\Program Files\Norton Personal Firewall\NISSERV.EXE
R3 DNSFILT;DNSFILT;\??\C:\WINDOWS\System32\Drivers\DNSFILT.SYS
R3 FWFILT;FWFILT;\??\C:\WINDOWS\System32\Drivers\FWFILT.SYS
R3 HTTPFILT;HTTPFILT;\??\C:\WINDOWS\System32\Drivers\HTTPFILT.SYS
R3 NDISFILT;NDISFILT;\??\C:\WINDOWS\System32\Drivers\NDISFILT.SYS
R3 SYMFILT;SYMFILT;\??\C:\WINDOWS\System32\Drivers\SYMFILT.SYS
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5bv.sys
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 lredbooo;lredbooo;\??\C:\DOCUME~1\Jenny\LOCALS~1\Temp\lredbooo.sys
S3 Mini98;Mini98 Device;C:\WINDOWS\system32\DRIVERS\Mini98.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 10:40:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 00:49:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???b???????????? C?????Disc Detector?B???A???????A???????B???@?$?@?? C?????U?@?????????@?B???A???????A?P?????B???@?????P???$?@???????????A~??????????@?q?????????????????B?????\????????????????????`????????B
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???n???$???U?A~??A~\???\???n???H?a???????B~\???\??????s????\??????s\????&2?A??s?&2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 0:56:44 - machine was rebooted
.
--- E O F ---
-----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:02 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Documents and Settings\Jenny\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Gyhpnzrq\rwcleenc.dll
O2 - BHO: (no name) - {391B174C-A6B7-C9D7-6743-01F7A0D663D6} - C:\Program Files\Hktftqud\ygbutqpu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {48ec590e-f85e-4508-93e4-bd5b3d7cc11b} - {b11cc7d3-b5db-4e39-8054-e58fe095ce84} - C:\WINDOWS\system32\mvxmblms.dll
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f47e72a3] rundll32.exe "C:\WINDOWS\system32\gqeslhnr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188882958109
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 9935 bytes
--------------

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 06 November 2007 - 09:31 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gqeslhnr.dll
C:\WINDOWS\system32\mvxmblms.dll
C:\WINDOWS\system32\fvexudxk.dll
C:\WINDOWS\system32\cnijumth.dll
C:\WINDOWS\system32\siutxaji.dll
C:\WINDOWS\system32\coywwihv.dll
C:\WINDOWS\system32\dabglbgs.dll
C:\WINDOWS\system32\cwatgehc.dll
C:\WINDOWS\system32\awttroo.dll.vir
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\urqonon.dll
C:\WINDOWS\system32\xxyyawv.dll
Folder::
C:\Program Files\Hktftqud
C:\Program Files\Gyhpnzrq
C:\Program Files\Opjtqowd
C:\Program Files\Rsqasjzm
C:\Program Files\shovqval
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{391B174C-A6B7-C9D7-6743-01F7A0D663D6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b11cc7d3-b5db-4e39-8054-e58fe095ce84}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f47e72a3"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{806E1CA8-2B65-45B5-B1D4-C42EF388E119}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 Banano

Banano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 November 2007 - 07:30 PM

OK, have done this. Forgot to disconnect from internet until about Stage 9 of ComboFix. Hope this is OK, but let me know if I have to do the scan again. Here's the log files. What now?
---------------------------------------------------------------------------------------------------------------------

ComboFix 07-11-06.5 - Jenny 2007-11-07 11:11:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.641 [GMT 11:00]
Running from: C:\Documents and Settings\Jenny\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\awttroo.dll.vir
C:\WINDOWS\system32\cnijumth.dll
C:\WINDOWS\system32\coywwihv.dll
C:\WINDOWS\system32\cwatgehc.dll
C:\WINDOWS\system32\dabglbgs.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\fvexudxk.dll
C:\WINDOWS\system32\gqeslhnr.dll
C:\WINDOWS\system32\mvxmblms.dll
C:\WINDOWS\system32\siutxaji.dll
C:\WINDOWS\system32\urqonon.dll
C:\WINDOWS\system32\xxyyawv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Gyhpnzrq
C:\Program Files\Gyhpnzrq\rwcleenc.dll
C:\Program Files\Hktftqud
C:\Program Files\Hktftqud\ygbutqpu.dll
C:\Program Files\Opjtqowd
C:\Program Files\Opjtqowd\hivkzifd.dll
C:\Program Files\Rsqasjzm
C:\Program Files\Rsqasjzm\nxdhkfdy.dll
C:\Program Files\shovqval
C:\Program Files\shovqval\qfalihqd.dll
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\hhuanere.dll.bad
C:\VundoFix Backups\urqonon.dll.bad
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\awttroo.dll.vir
C:\WINDOWS\system32\cnijumth.dll
C:\WINDOWS\system32\coywwihv.dll
C:\WINDOWS\system32\cwatgehc.dll
C:\WINDOWS\system32\dabglbgs.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\fvexudxk.dll
C:\WINDOWS\system32\gqeslhnr.dll
C:\WINDOWS\system32\mvxmblms.dll
C:\WINDOWS\system32\siutxaji.dll
C:\WINDOWS\system32\urqonon.dll
C:\WINDOWS\system32\xxyyawv.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 00:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 16:29 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-03 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 21:58 <DIR> d-------- C:\Program Files\iTunes
2007-11-01 21:54 <DIR> d-------- C:\Program Files\QuickTime
2007-11-01 21:48 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-11-01 21:09 51,422,520 --a------ C:\Documents and Settings\Liam\iTunes743Setup.exe
2007-10-28 12:14 <DIR> d-------- C:\Program Files\Acesoft
2007-10-28 12:14 277,504 --a------ C:\WINDOWS\system32\oestore.dll
2007-10-28 11:45 <DIR> d-------- C:\Program Files\Easy SystemCleaner
2007-10-22 21:57 <DIR> d-------- C:\Program Files\CloneDVD
2007-10-14 15:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 22:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 10:58 --------- d-----w C:\Program Files\iPod
2007-11-01 10:50 --------- d-----w C:\Program Files\Apple Software Update
2007-10-31 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 00:46 --------- d-----w C:\Program Files\Lavasoft
2007-10-30 12:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 10:58 39,488 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-22 10:13 81,920 ----a-w C:\Documents and Settings\Jenny\Application Data\ezpinst.exe
2007-10-22 10:13 47,360 ----a-w C:\Documents and Settings\Jenny\Application Data\pcouffin.sys
2007-10-22 10:13 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Vso
2007-10-15 05:57 --------- d-----w C:\Program Files\FinePixViewer
2007-10-08 11:50 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-04 13:49 --------- d-----w C:\Program Files\Java
2007-10-03 13:49 --------- d-----w C:\Documents and Settings\Jenny\Application Data\FUJIFILM
2007-10-03 13:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 13:43 --------- d-----w C:\Program Files\PIXELA
2007-10-03 13:38 --------- d-----w C:\Program Files\REGSHAVE
2007-09-27 00:01 --------- d-----w C:\Program Files\LimeWire
2007-09-04 05:47 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-09-04 05:47 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-08-28 14:30 13,416,432 ----a-w C:\Documents and Settings\Liam\Google_Earth_BZXV.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-24 01:25 0 ----a-w C:\Documents and Settings\Liam\iTunesSetup.exe
2007-05-24 13:34 32,872 ----a-w C:\Documents and Settings\Jenny\Application Data\GDIPFONTCACHEV1.DAT
2006-07-31 09:11 11,425,622 ----a-w C:\Documents and Settings\Liam\GP5DEMO.exe
2006-06-26 07:00 604 ---ha-w C:\Program Files\STLL Notifier
2006-06-23 05:04 11,817,800 ----a-w C:\Documents and Settings\Liam\GoogleEarth-0762.exe
2004-08-09 13:30 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iamapp"="C:\Program Files\Norton Personal Firewall\IAMAPP.EXE" [2001-04-18 10:32]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2004-09-06 13:50]
"LTWinModem1"="ltmsg.exe" [2001-04-03 10:38 C:\WINDOWS\system32\ltmsg.exe]
"nwiz"="nwiz.exe" [2005-11-11 14:47 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 14:47]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 22:29]
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2007-04-30 11:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 03:00]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 02:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 15:52]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 14:47]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 19:00]
"RegistryMechanic"="" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-10-04 00:39:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 NISDRV;NISDRV;\??\C:\WINDOWS\System32\Drivers\NISDRV.SYS
R2 NISSERV;Norton Personal Firewall Service;C:\Program Files\Norton Personal Firewall\NISSERV.EXE
R3 DNSFILT;DNSFILT;\??\C:\WINDOWS\System32\Drivers\DNSFILT.SYS
R3 FWFILT;FWFILT;\??\C:\WINDOWS\System32\Drivers\FWFILT.SYS
R3 HTTPFILT;HTTPFILT;\??\C:\WINDOWS\System32\Drivers\HTTPFILT.SYS
R3 NDISFILT;NDISFILT;\??\C:\WINDOWS\System32\Drivers\NDISFILT.SYS
R3 SYMFILT;SYMFILT;\??\C:\WINDOWS\System32\Drivers\SYMFILT.SYS
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5bv.sys
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 lredbooo;lredbooo;\??\C:\DOCUME~1\Jenny\LOCALS~1\Temp\lredbooo.sys
S3 Mini98;Mini98 Device;C:\WINDOWS\system32\DRIVERS\Mini98.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 10:40:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 11:22:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???@???????????? C?????Disc Detector?B???A???????A???????B???@?$?@?? C?????U?@?????????@?B???A???????A?P?????B???@?????P???$?@???????????A~??????????@?Y?????????????????B?????\?????????????????????????????B
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???x???$???U?A~??A~\???\???x???8?b???????B~\???\??????s????\??????s\????&2?A??s?&2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 11:25:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 00:56
.
--- E O F ---

--------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:49 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Documents and Settings\Jenny\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188882958109
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 9496 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 06 November 2007 - 07:43 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 Banano

Banano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 08 November 2007 - 09:42 PM

Sorry I haven't been posting for a while. My brothers and I are in the middle of exams, and need computer for other things. I was able to do everything, except the online virus scan. Internet Explorer would install the activex controls needed etc, but no text was appearing after the page finished loading, so I couldn't do the virus scan. Was able to use SuperAntiSpyware program and fixed the two items in my HijackThis scan. My computer seems to be working much better now, with Internet Explorer causing me no more trouble. Here's the logs, anything else I should do?
P.S. I have recently downloaded and installed Adobe Reader 8.1, updating from Adobe Reader 5.0. Hope this hasn't thrown a spanner in the works, but I really needed it.
---------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/09/2007 at 11:30 AM

Application Version : 3.9.1008

Core Rules Database Version : 3340
Trace Rules Database Version: 1341

Scan type : Complete Scan
Total Scan Time : 00:49:12

Memory items scanned : 400
Memory threats detected : 0
Registry items scanned : 6210
Registry threats detected : 6
File items scanned : 45414
File threats detected : 34

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}
HKCR\CLSID\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}
HKCR\CLSID\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}\InprocServer32
HKCR\CLSID\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\URQONON.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}
HKCR\CLSID\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\EZILEFKV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\HKTFTQUD\YGBUTQPU.DLL.VIR

Adware.Tracking Cookie
C:\Documents and Settings\Jenny\Cookies\jenny@atdmt[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@2o7[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@doubleclick[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@112.2o7[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@bs.serving-sys[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@ads.movieweb[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@advertising[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@e-2dj6wfliqjdjokp.stats.esomniture[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@xmlrevenue[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@serving-sys[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@media.adrevolver[1].txt

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AIVSKURQ.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001062.DLL

Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FKMDVBTN\FKMDVBTN1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FKMDVBTN\FKMDVBTN2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FKMDVBTN\FKMDVBTN3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP2\A0000005.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP2\A0000006.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP2\A0000007.EXE

Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP2\A0000004.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001057.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001058.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001059.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001060.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP2\A0000008.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001065.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001066.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001069.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP3\A0001070.DLL

-------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:28 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Documents and Settings\Jenny\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188882958109
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 9735 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 09 November 2007 - 09:16 AM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also let me know how your pc is running now.
Posted Image
Posted Image

#9 Banano

Banano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 11 November 2007 - 02:28 AM

Here are the results of that online scan. Internet Explorer and PC seem to be working fine, can occasionally still be a bit slow.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 11, 2007 6:25:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/11/2007
Kaspersky Anti-Virus database records: 427954
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 182921
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:01:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\history.dat Object is locked skipped
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\key3.db Object is locked skipped
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Application Data\Mozilla\Firefox\Profiles\ch1198ea.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Temp\~DF4396.tmp Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Temp\~DF5A79.tmp Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Temp\~DFAF91.tmp Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Temp\~DFD228.tmp Object is locked skipped
C:\Documents and Settings\Jenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jenny\Start Menu\Programs\Startup\Adobe Gamma Loader.exe Infected: Trojan-Clicker.Win32.VB.la skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton Personal Firewall\nisum.dat Object is locked skipped
C:\Program Files\Scientific Notebook\crack-inf.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped
C:\Program Files\Scientific Notebook\crack-inf.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped
C:\Program Files\Scientific Notebook\crack-inf.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{67AA81B1-48D9-4E37-82B5-F83D8E86FBF5}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Dan\Downloads\Mackichan.Scientific.Notebook.v5.5.2953-RECOiL.ZIP/crack-inf.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped
F:\Dan\Downloads\Mackichan.Scientific.Notebook.v5.5.2953-RECOiL.ZIP/crack-inf.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped
F:\Dan\Downloads\Mackichan.Scientific.Notebook.v5.5.2953-RECOiL.ZIP/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.la skipped
F:\Dan\Downloads\Mackichan.Scientific.Notebook.v5.5.2953-RECOiL.ZIP ZIP: infected - 3 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 11 November 2007 - 05:22 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Scientific Notebook\crack-inf.exe
F:\Dan\Downloads\Mackichan.Scientific.Notebook.v5.5.2953-RECOiL.ZIP/crack-inf.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the contents of that report in your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users