Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Check.


  • Please log in to reply
7 replies to this topic

#1 ahMedeightsix0

ahMedeightsix0

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 07 November 2007 - 09:05 PM

Just system restored and computer very slow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:53 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:\Program Files\Common Files\goskdl.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1194380943249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194380995593
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4361 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 08 November 2007 - 10:09 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ahMedeightsix0 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.
You may be behind a hardware firewall(router/NAT),but it would'nt hurt to install a third party software firewall to henhance protection.
A word of warning regarding the Windows Firewall in Service Pack 2,it only filters INCOMING traffic.
That means if malware happens to compromise your PC,it will be able to SEND OUT out your credit card data,and any other personal information.
I suggest you install a more robust third party firewall that filters both INCOMING and OUTGOING traffic.

Download\install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should take the time to read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

Edited by RichieUK, 08 November 2007 - 10:09 AM.

Posted Image
Posted Image

#3 ahMedeightsix0

ahMedeightsix0
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 08 November 2007 - 05:07 PM

just got home from school.. ill post everything when its ready =)

#4 ahMedeightsix0

ahMedeightsix0
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 08 November 2007 - 06:44 PM

woah, I downloaded AVG and it started coming with all these pop ups saying that it found PSW.Lenendmir.(2-3 letters all different) i remember one was dadoor0.dll and their were about 20 more, so i tried deleting them 1 by 1 but every time did the would dis appear and just re-appear by them selves. Now i cannot even boot my computer normally i can only boot it up in safe mode. =(

p.s every time i would tell AVG to "heal" or "send to vault" the Infected item it would say complete but the item would just re-appear where it was previously. i noticed that all of them were "Trojan Horses." hope that helps.

#5 ahMedeightsix0

ahMedeightsix0
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 08 November 2007 - 08:04 PM

IGNORE THE TOP 2 POSTS, I WORKED AROUND THEM.


COMBO FIX LOG

ComboFix 07-11-08.3 - AhMed 2007-11-08 19:54:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.716 [GMT -5:00]
Running from: C:\Documents and Settings\AhMed\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 19:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 18:17 <DIR> d-------- C:\Program Files\Driver Cleaner Pro
2007-11-08 17:58 <DIR> d-------- C:\WINDOWS\Sun
2007-11-08 17:21 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\AVG7
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-08 17:20 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-08 17:20 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-08 17:14 <DIR> d-------- C:\Program Files\Sygate
2007-11-08 17:14 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-08 17:14 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-08 17:14 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-07 20:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 20:14 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-06 19:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-06 19:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Ventrilo
2007-11-06 19:18 <DIR> d-------- C:\Program Files\iPod
2007-11-06 19:18 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Apple Computer
2007-11-06 19:17 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 19:16 <DIR> d-------- C:\Program Files\QuickTime
2007-11-06 19:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-06 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-06 19:15 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-06 19:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-06 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-06 19:02 <DIR> d-------- C:\Program Files\Steam
2007-11-06 19:01 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-06 18:59 <DIR> d-------- C:\Program Files\Java
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Nattyware
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 18:57 <DIR> d-------- C:\Program Files\LimeWire
2007-11-06 18:49 <DIR> d-------- C:\Program Files\RocketDock
2007-11-06 17:23 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-06 17:16 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
2007-11-06 17:16 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-06 17:12 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-11-06 17:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-06 16:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-06 16:46 <DIR> d-------- C:\WINDOWS\peernet
2007-11-06 16:44 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-06 16:41 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-06 16:39 <DIR> d-------- C:\WINDOWS\EHome
2007-11-06 16:35 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-11-06 16:35 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-11-06 16:28 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-06 16:19 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 16:13 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-06 16:01 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-11-06 16:00 <DIR> d-------- C:\NVIDIA
2007-11-06 16:00 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-11-06 15:54 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\acccore
2007-11-06 15:54 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-11-06 15:54 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-11-06 15:54 77,312 --a------ C:\WINDOWS\system32\browser.dll
2007-11-06 15:54 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-11-06 15:54 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-11-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-11-06 15:51 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-06 15:51 <DIR> d-------- C:\Program Files\AIM6
2007-11-06 15:48 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-11-06 15:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-06 15:42 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-11-06 15:42 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-11-06 15:33 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2007-11-06 15:33 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2007-11-06 15:31 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-06 15:31 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2007-11-06 15:31 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-11-06 15:31 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-11-06 15:31 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-11-06 15:31 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-11-06 15:29 <DIR> d---s---- C:\Documents and Settings\AhMed\UserData
2007-11-06 15:29 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-06 15:29 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-06 15:29 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-06 15:29 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\WINDOWS
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Sony Corporation
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\InterTrust
2007-11-06 15:19 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-06 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-11-06 15:18 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 00:44 24,064 ----a-w C:\WINDOWS\system32\wgdoor0.dll
2007-11-09 00:44 20,480 ----a-w C:\WINDOWS\system32\zxdoor0.dll
2007-11-09 00:44 15,872 ----a-w C:\WINDOWS\system32\rxdoor0.dll
2007-11-09 00:44 14,848 ----a-w C:\WINDOWS\system32\tldoor0.dll
2007-11-09 00:44 14,336 ----a-w C:\WINDOWS\system32\csdoor0.dll
2007-11-06 21:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-06 20:25 --------- d-----w C:\Program Files\Common Files\Real
2007-11-06 20:24 --------- d-----w C:\Program Files\QUICKENW
2007-11-06 20:23 --------- d-----w C:\Program Files\Sony
2007-11-06 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 22:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 22:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 22:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 22:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 22:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 22:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 22:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 22:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 22:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 22:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 22:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 22:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 22:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 22:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 22:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 22:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 22:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 22:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 22:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 22:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 22:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 22:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 22:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 22:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 22:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}]
C:\Program Files\Common Files\goskdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTSMMSG"="LTSMMSG.exe" [2002-03-29 18:07 C:\WINDOWS\LTSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-10-04 17:14]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 12:59 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-10-04 17:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-08 17:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58]

C:\Documents and Settings\AhMed\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}"= C:\Program Files\Internet Explorer\rksldk.dll [ ]
"{3422FB0F-95EB-458A-8B56-39552017A4EF}"= C:\WINDOWS\system32\mhdoor0.dll [ ]
"{5731EA1D-6AAF-4DE9-BDDA-7B390A75B286}"= C:\WINDOWS\system32\wodoor0.dll [ ]
"{11DB88F9-409B-475E-8FD7-411653F6D367}"= C:\WINDOWS\system32\55550.dll [ ]
"{32C4BAF4-0411-4000-BDFB-A6F71E669F8C}"= C:\WINDOWS\system32\csdoor0.dll [2007-11-08 19:44 14336]
"{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3}"= C:\WINDOWS\system32\wldoor0.dll [ ]
"{A3C95A74-638D-4C6B-A856-4B27664A7F47}"= C:\WINDOWS\system32\wgdoor0.dll [2007-11-08 19:44 24064]
"{D8CC4845-441C-44F8-9053-28F2EF67655B}"= C:\WINDOWS\system32\dadoor0.dll [ ]
"{A120A1D0-CBCC-4F9B-A183-78B27E4C1B5C}"= C:\WINDOWS\system32\dh3oor0.dll [ ]
"{6826A3DB-EA8E-4E67-880D-53D04C7C0BD8}"= C:\WINDOWS\system32\qjdoor0.dll [ ]
"{EDFF29C1-5A70-4460-AC1D-16DCB4B672F0}"= C:\WINDOWS\system32\rxdoor0.dll [2007-11-08 19:44 15872]
"{68F7767A-090C-4BBF-A015-720ACC6706E2}"= C:\WINDOWS\system32\wddoor0.dll [ ]
"{08E909A4-B236-48DD-8BCC-90A604B93E68}"= C:\WINDOWS\system32\tldoor0.dll [2007-11-08 19:44 14848]
"{781FBCC1-99C7-4AE0-95F7-66EA49E86DD7}"= C:\WINDOWS\system32\zxdoor0.dll [2007-11-08 19:44 20480]
"{4E3FBFA4-F1CC-4B66-B333-B9F0FF4B4748}"= C:\WINDOWS\system32\mydoor0.dll [ ]
"{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}"= C:\WINDOWS\system32\qhdoor0.dll [ ]
"{04A0CB31-FDEB-4EB8-889B-E00ED87BCE23}"= C:\WINDOWS\system32\cqdoor0.dll [ ]
"{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}"= C:\WINDOWS\system32\fydoor0.dll [ ]
"{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}"= C:\WINDOWS\system32\qqdoor0.dll [2007-06-13 05:23 15872]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\system32\Drivers\SMBE.SYS

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 19:56:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 19:57:54
.
--- E O F ---



HIJACKTHIS LOG.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:04 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:\Program Files\Common Files\goskdl.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1194380943249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194380995593
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4819 bytes


AVG found 24 Trojans and 1 Virus, said it cleaned them but they re-appear. Don't know if that's important. =)

Edited by ahMedeightsix0, 08 November 2007 - 08:16 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 08 November 2007 - 08:35 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\wgdoor0.dll
C:\WINDOWS\system32\zxdoor0.dll
C:\WINDOWS\system32\rxdoor0.dll
C:\WINDOWS\system32\tldoor0.dll
C:\WINDOWS\system32\csdoor0.dll
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}"=-
"{3422FB0F-95EB-458A-8B56-39552017A4EF}"=-
"{5731EA1D-6AAF-4DE9-BDDA-7B390A75B286}"=-
"{11DB88F9-409B-475E-8FD7-411653F6D367}"=-
"{32C4BAF4-0411-4000-BDFB-A6F71E669F8C}"=-
"{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3}"=-
"{A3C95A74-638D-4C6B-A856-4B27664A7F47}"=-
"{D8CC4845-441C-44F8-9053-28F2EF67655B}"=-
"{A120A1D0-CBCC-4F9B-A183-78B27E4C1B5C}"=-
"{6826A3DB-EA8E-4E67-880D-53D04C7C0BD8}"=-
"{EDFF29C1-5A70-4460-AC1D-16DCB4B672F0}"=-
"{68F7767A-090C-4BBF-A015-720ACC6706E2}"=-
"{08E909A4-B236-48DD-8BCC-90A604B93E68}"=-
"{781FBCC1-99C7-4AE0-95F7-66EA49E86DD7}"=-
"{4E3FBFA4-F1CC-4B66-B333-B9F0FF4B4748}"=-
"{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}"=-
"{04A0CB31-FDEB-4EB8-889B-E00ED87BCE23}"=-
"{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}"=-
"{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 ahMedeightsix0

ahMedeightsix0
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 08 November 2007 - 09:08 PM

COMBOFIX LOG.

ComboFix 07-11-08.3 - AhMed 2007-11-08 20:59:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.673 [GMT -5:00]
Running from: C:\Documents and Settings\AhMed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AhMed\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\csdoor0.dll
C:\WINDOWS\system32\rxdoor0.dll
C:\WINDOWS\system32\tldoor0.dll
C:\WINDOWS\system32\wgdoor0.dll
C:\WINDOWS\system32\zxdoor0.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\system32\csdoor0.dll
C:\WINDOWS\system32\rxdoor0.dll
C:\WINDOWS\system32\tldoor0.dll
C:\WINDOWS\system32\wgdoor0.dll
C:\WINDOWS\system32\zxdoor0.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 19:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 18:17 <DIR> d-------- C:\Program Files\Driver Cleaner Pro
2007-11-08 17:58 <DIR> d-------- C:\WINDOWS\Sun
2007-11-08 17:21 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\AVG7
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-08 17:20 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-08 17:20 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-08 17:14 <DIR> d-------- C:\Program Files\Sygate
2007-11-08 17:14 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-08 17:14 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-08 17:14 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-08 17:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-07 20:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 20:14 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-06 19:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-06 19:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Ventrilo
2007-11-06 19:18 <DIR> d-------- C:\Program Files\iPod
2007-11-06 19:18 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Apple Computer
2007-11-06 19:17 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 19:16 <DIR> d-------- C:\Program Files\QuickTime
2007-11-06 19:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-06 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-06 19:15 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-06 19:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-06 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-06 19:02 <DIR> d-------- C:\Program Files\Steam
2007-11-06 19:01 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-06 18:59 <DIR> d-------- C:\Program Files\Java
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Nattyware
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 18:58 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 18:57 <DIR> d-------- C:\Program Files\LimeWire
2007-11-06 18:49 <DIR> d-------- C:\Program Files\RocketDock
2007-11-06 17:23 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-06 17:16 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
2007-11-06 17:16 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-06 17:12 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-11-06 17:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-06 16:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-06 16:46 <DIR> d-------- C:\WINDOWS\peernet
2007-11-06 16:44 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-06 16:41 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-06 16:39 <DIR> d-------- C:\WINDOWS\EHome
2007-11-06 16:35 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-11-06 16:35 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-11-06 16:28 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-06 16:19 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 16:13 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-06 16:01 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-11-06 16:00 <DIR> d-------- C:\NVIDIA
2007-11-06 16:00 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-11-06 15:54 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\acccore
2007-11-06 15:54 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-11-06 15:54 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-11-06 15:54 77,312 --a------ C:\WINDOWS\system32\browser.dll
2007-11-06 15:54 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-11-06 15:54 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-11-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-11-06 15:51 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-06 15:51 <DIR> d-------- C:\Program Files\AIM6
2007-11-06 15:48 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-11-06 15:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-06 15:42 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-11-06 15:42 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-11-06 15:33 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2007-11-06 15:33 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2007-11-06 15:31 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-06 15:31 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2007-11-06 15:31 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-11-06 15:31 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-11-06 15:31 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-11-06 15:31 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-11-06 15:29 <DIR> d---s---- C:\Documents and Settings\AhMed\UserData
2007-11-06 15:29 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-06 15:29 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-06 15:29 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-06 15:29 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\WINDOWS
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\Sony Corporation
2007-11-06 15:20 <DIR> d-------- C:\Documents and Settings\AhMed\Application Data\InterTrust
2007-11-06 15:19 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-06 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-11-06 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Sony Corporation
2007-11-06 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InterTrust
2007-11-06 15:18 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 21:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-06 20:25 --------- d-----w C:\Program Files\Common Files\Real
2007-11-06 20:24 --------- d-----w C:\Program Files\QUICKENW
2007-11-06 20:23 --------- d-----w C:\Program Files\Sony
2007-11-06 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 22:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 22:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 22:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 22:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 22:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 22:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 22:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 22:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 22:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 22:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 22:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 22:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 22:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 22:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 22:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 22:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 22:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 22:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 22:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 22:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 22:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 22:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 22:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 22:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 22:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTSMMSG"="LTSMMSG.exe" [2002-03-29 18:07 C:\WINDOWS\LTSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-10-04 17:14]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 12:59 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-10-04 17:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-08 17:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58]

C:\Documents and Settings\AhMed\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}"= C:\WINDOWS\system32\qqdoor0.dll [2007-06-13 05:23 15872]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\system32\Drivers\SMBE.SYS

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 21:03:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 21:05:54 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 19:57
.
--- E O F ---




HIJACKTHIS LOG.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:16 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\RocketDock\RocketDock.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1194380943249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194380995593
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4750 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 09 November 2007 - 09:11 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}"=-


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users