Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-downloader.small.cml


  • Please log in to reply
8 replies to this topic

#1 Vinicius

Vinicius

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 17 November 2007 - 04:16 PM

Hello,

Recently, my computer slowed down Dramatically. I checked my computer with various programs, to no avail. Spyware Doctor found the following Trojan: http://www.pctools.com/mrc/infections/id/T...oader.Small.CML.
I tried to remove it, but it seems to install itself again every time I log off. The trojan is supposed to be here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\N...\wineil32

Also, I keep getting a tray icon, supposedly from Microsoft, that urges me to install "Ultimate Cleaner". But that seems to be Malware, too.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:20 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Hslvwawh\gwzhaogb.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lonczkna] rundll32.exe "C:\Program Files\lonczkna\pyfslsds.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [gjirihgp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gjirihgp.dll"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZJxdm130YYIL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://www.sonypictures.com/games/thedavin...aderControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://smarteam.webex.com/client/T23L/webex/ieatgpc.cab
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 8160 bytes

I hope you could help me

Thanks in advance,

Vinicius

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:03 PM

Posted 22 November 2007 - 12:12 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:03 PM

Posted 22 November 2007 - 02:03 PM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Vinicius

Vinicius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 23 November 2007 - 04:27 PM

Hello,

Here's the combofix log:

ComboFix 07-11-19.3 - Asaf 2007-11-23 23:11:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.613 [GMT 2:00]
Running from: C:\Documents and Settings\Asaf\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Asaf\err.log
C:\Documents and Settings\Yali\Application Data\FunWebProducts
C:\Documents and Settings\Yali\Application Data\FunWebProducts\Data\Yali\avatar.dat
C:\Documents and Settings\Yali\Application Data\FunWebProducts\Data\Yali\register.dat
C:\Documents and Settings\Yali\Application Data\FunWebProducts\Data\Yali\zbucks.dat
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\SSSInstaller.dll
C:\Program Files\screensavers.com\SSSUninst.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\vgfddwtv
C:\WINDOWS\system32\vgfddwtv\bg1.gif
C:\WINDOWS\system32\vgfddwtv\bgtop.gif
C:\WINDOWS\system32\vgfddwtv\bottom1.gif
C:\WINDOWS\system32\vgfddwtv\essentials.gif
C:\WINDOWS\system32\vgfddwtv\icon1.ico
C:\WINDOWS\system32\vgfddwtv\install1.gif
C:\WINDOWS\system32\vgfddwtv\left1.gif
C:\WINDOWS\system32\vgfddwtv\li.gif
C:\WINDOWS\system32\vgfddwtv\logo.gif
C:\WINDOWS\system32\vgfddwtv\main.htm
C:\WINDOWS\system32\vgfddwtv\mainframe.htm
C:\WINDOWS\system32\vgfddwtv\reinstall1.gif
C:\WINDOWS\system32\vgfddwtv\right1.gif
C:\WINDOWS\system32\vgfddwtv\s1.htm
C:\WINDOWS\system32\vgfddwtv\s2.htm
C:\WINDOWS\system32\vgfddwtv\s3.htm
C:\WINDOWS\system32\vgfddwtv\SMTop1.gif
C:\WINDOWS\system32\vgfddwtv\SMTop2.gif
C:\WINDOWS\system32\vgfddwtv\SMTop3.gif
C:\WINDOWS\system32\vgfddwtv\SMTop4.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_off.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_on.gif
C:\WINDOWS\system32\vgfddwtv\softleft_off.gif
C:\WINDOWS\system32\vgfddwtv\softleft_on.gif
C:\WINDOWS\system32\vgfddwtv\top1.gif
C:\WINDOWS\system32\vgfddwtv\top2.gif
C:\WINDOWS\system32\vgfddwtv\turnoff1.gif
C:\WINDOWS\system32\vgfddwtv\turnon1.gif
C:\WINDOWS\system32\vgfddwtv\vgfddwtv1.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv2.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv3.exe
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\winghy32.dll
C:\WINDOWS\Temp\1664.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 18:36 <DIR> d-------- C:\Program Files\Jddrzlue
2007-11-23 18:36 <DIR> d-------- C:\Program Files\abwjwncn
2007-11-23 18:36 131,072 --a------ C:\Documents and Settings\All Users\Application Data\crufgpof.dll
2007-11-23 17:42 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-23 17:40 10,240 --a------ C:\Program Files\spoolsv.exe
2007-11-23 00:31 37,376 --a------ C:\WINDOWS\system32\mljhifg.dll
2007-11-17 22:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\MEGAUPLOADTOOLBAR
2007-11-17 21:37 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-17 21:22 <DIR> d-------- C:\Documents and Settings\Asaf\Application Data\HouseCall 6.6
2007-11-17 20:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-17 17:38 <DIR> d-------- C:\Program Files\SuperTux
2007-11-17 16:16 <DIR> d-------- C:\Program Files\Hslvwawh
2007-11-17 16:16 114,688 --a------ C:\Documents and Settings\All Users\Application Data\gjirihgp.dll
2007-11-16 08:42 <DIR> d-------- C:\Program Files\Ejmcpdmu
2007-11-15 11:16 <DIR> d-------- C:\Program Files\Yvgiyviz
2007-11-15 11:16 <DIR> d-------- C:\Program Files\lonczkna
2007-11-15 11:05 <DIR> d-------- C:\Program Files\EarMaster Pro 5
2007-11-15 11:02 <DIR> d-------- C:\Program Files\GetDiz
2007-11-08 21:29 <DIR> d---s---- C:\Documents and Settings\Guest\UserData
2007-11-08 18:42 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\EarMaster
2007-11-07 15:34 <DIR> d-------- C:\Program Files\Nana2
2007-11-05 06:00 <DIR> d-------- C:\sj657
2007-11-05 06:00 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 10:41 <DIR> d-------- C:\Documents and Settings\Asaf\Application Data\EarMaster
2007-11-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EarMaster
2007-11-03 00:58 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2007-11-03 00:58 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-11-03 00:52 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2007-11-03 00:52 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-11-01 23:00 <DIR> d-------- C:\Program Files\Gpotato
2007-10-30 16:44 <DIR> d-------- C:\Program Files\XO
2007-10-29 12:26 <DIR> d-------- C:\Documents and Settings\Yali\Application Data\webex
2007-10-29 12:26 186,443 --a------ C:\WINDOWS\system32\atasnt40.dll
2007-10-29 12:26 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2007-10-25 18:35 <DIR> d-------- C:\Program Files\phenomedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 21:14 --------- d-----w C:\Documents and Settings\Asaf\Application Data\MegauploadToolbar
2007-11-23 19:18 --------- d-----w C:\Documents and Settings\Asaf\Application Data\uTorrent
2007-11-23 16:21 --------- d-----w C:\Documents and Settings\Yali\Application Data\MEGAUPLOADTOOLBAR
2007-11-23 12:08 --------- d-----w C:\Documents and Settings\Guest\Application Data\MEGAUPLOADTOOLBAR
2007-11-23 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-22 22:33 37,376 ----a-w C:\WINDOWS\system32\khfdbxu.dll
2007-11-22 22:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 04:40 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-20 13:01 --------- d-----w C:\Program Files\StepMania
2007-11-17 13:47 --------- d-----w C:\Documents and Settings\Asaf\Application Data\AVG7
2007-11-13 05:44 --------- d-----w C:\Program Files\uTorrent
2007-11-05 15:21 --------- d-----w C:\Program Files\ICQ6
2007-11-02 22:58 505,208 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-11-01 07:22 --------- d-----w C:\Documents and Settings\Asaf\Application Data\ICQ
2007-10-21 05:48 --------- d-----w C:\Documents and Settings\Asaf\Application Data\AccurateRip
2007-10-18 22:56 --------- d-----w C:\Program Files\MegauploadToolbar
2007-10-12 13:56 --------- d-----w C:\Program Files\Common Files\Real
2007-10-12 13:55 --------- d-----w C:\Program Files\Real
2007-10-04 15:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 15:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 15:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 15:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-02 12:20 --------- d-----w C:\Program Files\LittleFighter2
2007-09-27 12:35 --------- d-----w C:\Documents and Settings\Yali\Application Data\AVG7
2007-09-23 21:10 --------- d-----w C:\Documents and Settings\Asaf\Application Data\ArcSoft
2007-09-20 08:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-09-20 08:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2006-07-19 22:12 604 ---ha-w C:\Program Files\STLL Notifier
2006-01-04 12:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-06-12 13:27 8 --sh--r C:\WINDOWS\system32\95F1427B7D.sys
2007-06-12 13:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
2007-11-23 18:36 131072 --a------ C:\Program Files\Jddrzlue\qjhepgkq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
2007-11-17 16:16 114688 --a------ C:\Program Files\Hslvwawh\gwzhaogb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24D3D1D3-FC58-4589-B355-A8752A24D425}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39DCA74D-233A-4B06-AF17-C6C638594A31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
2007-11-23 00:31 37376 --a------ C:\WINDOWS\system32\mljhifg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-11-23 17:42 18432 --a------ C:\Program Files\E404 Helper\e404.v6.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-11 09:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-09 18:49]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 14:00 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED203331-9C33-49D8-8714-D24A366A04EC}"= C:\WINDOWS\system32\mljhifg.dll [2007-11-23 00:31 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhifg]
mljhifg.dll 2007-11-23 00:31 37376 C:\WINDOWS\system32\mljhifg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineil32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bilbulon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-08 16:25 1397760 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

R2 IOSLINK;IOSLINK;\??\C:\WINDOWS\system32\drivers\IosLink.sys
S3 GGK;GGK;\??\C:\DOCUME~1\Ido\LOCALS~1\Temp\Rar$EX05.078\Hackz\ggk.sys
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 23:24:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 23:26:10 - machine was rebooted
.
--- E O F ---


and the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:13 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Jddrzlue\qjhepgkq.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Hslvwawh\gwzhaogb.dll
O2 - BHO: (no name) - {24D3D1D3-FC58-4589-B355-A8752A24D425} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\mljhifg.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZJxdm130YYIL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://www.sonypictures.com/games/thedavin...aderControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://smarteam.webex.com/client/T23L/webex/ieatgpc.cab
O20 - Winlogon Notify: mljhifg - C:\WINDOWS\SYSTEM32\mljhifg.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 8136 bytes

Thanks!

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:03 PM

Posted 27 November 2007 - 07:30 AM

Hello,

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

2. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\system32\95F1427B7D.sys
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...mp;#entry668258
Suspect::
C:\WINDOWS\system32\95F1427B7D.sys

Folder::
C:\Program Files\Jddrzlue
C:\Program Files\abwjwncn
C:\Program Files\E404 Helper
C:\Program Files\Hslvwawh
C:\Program Files\Ejmcpdmu
C:\Program Files\Yvgiyviz
C:\Program Files\lonczkna

File::
C:\Documents and Settings\All Users\Application Data\crufgpof.dll
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\mljhifg.dll
C:\Documents and Settings\All Users\Application Data\gjirihgp.dll
C:\WINDOWS\system32\khfdbxu.dll
C:\WINDOWS\SYSTEM32\wineil32.dll
C:\WINDOWS\SYSTEM32\winghy32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24D3D1D3-FC58-4589-B355-A8752A24D425}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39DCA74D-233A-4B06-AF17-C6C638594A31}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED203331-9C33-49D8-8714-D24A366A04EC}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhifg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineil32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]

  • Save this as: CFScript.txt
    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
  • Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php
4. In your next reply, please post:
  • New HijackThis log.
  • Result from Jotti.
  • Result from ComboFix.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 Vinicius

Vinicius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 27 November 2007 - 04:45 PM

Hello,

The spyware on my computer does now allow me to download combofix. everytime I press one of the links i get redirected to dnserror.org. This happens frequently on other occasions, too.

anyway, here's the jotti scan:

Service load: 0% 100%

File: 95F1427B7D.sys
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 0641a46f1e58529a42ead4573a3a0861
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 27 Nov 2007 19:42:18 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


and the hijackthis file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:49 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Jddrzlue\qjhepgkq.dll (file missing)
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Hslvwawh\gwzhaogb.dll (file missing)
O2 - BHO: (no name) - {24D3D1D3-FC58-4589-B355-A8752A24D425} - (no file)
O2 - BHO: (no name) - {39DCA74D-233A-4B06-AF17-C6C638594A31} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\mljhifg.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZJxdm130YYIL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://www.sonypictures.com/games/thedavin...aderControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://smarteam.webex.com/client/T23L/webex/ieatgpc.cab
O20 - Winlogon Notify: mljhifg - mljhifg.dll (file missing)
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 7394 bytes


Thank you

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:03 PM

Posted 27 November 2007 - 05:40 PM

Hello Vinicius,

You forgot to post the the results from ComboFix.

You can find them in: C:\ComboFix.txt, please post that log.

Thank you!
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 Vinicius

Vinicius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 28 November 2007 - 07:52 AM

Hi,

Luckily, I found a way to download combofix.
So here's the log


ComboFix 07-11-19.4B - Asaf 2007-11-28 14:32:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.649 [GMT 2:00]
Running from: C:\Documents and Settings\Asaf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Asaf\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\crufgpof.dll
C:\Documents and Settings\All Users\Application Data\gjirihgp.dll
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\khfdbxu.dll
C:\WINDOWS\system32\mljhifg.dll
C:\WINDOWS\SYSTEM32\wineil32.dll
C:\WINDOWS\SYSTEM32\winghy32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\abwjwncn
C:\Program Files\abwjwncn\uhgrkvmf.dll
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v6.dll
C:\Program Files\Ejmcpdmu
C:\Program Files\Hslvwawh
C:\Program Files\Jddrzlue
C:\Program Files\lonczkna
C:\Program Files\Yvgiyviz

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-26 18:21 <DIR> d-------- C:\Program Files\Your Cottonelle Puppy
2007-11-17 22:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\MEGAUPLOADTOOLBAR
2007-11-17 21:37 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-17 21:22 <DIR> d-------- C:\Documents and Settings\Asaf\Application Data\HouseCall 6.6
2007-11-17 17:38 <DIR> d-------- C:\Program Files\SuperTux
2007-11-15 11:05 <DIR> d-------- C:\Program Files\EarMaster Pro 5
2007-11-15 11:02 <DIR> d-------- C:\Program Files\GetDiz
2007-11-08 21:29 <DIR> d---s---- C:\Documents and Settings\Guest\UserData
2007-11-08 18:42 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\EarMaster
2007-11-07 15:34 <DIR> d-------- C:\Program Files\Nana2
2007-11-05 06:00 <DIR> d-------- C:\sj657
2007-11-05 06:00 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 10:41 <DIR> d-------- C:\Documents and Settings\Asaf\Application Data\EarMaster
2007-11-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EarMaster
2007-11-03 00:58 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2007-11-03 00:58 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-11-03 00:52 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2007-11-03 00:52 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-11-01 23:00 <DIR> d-------- C:\Program Files\Gpotato
2007-10-29 12:26 <DIR> d-------- C:\Documents and Settings\Yali\Application Data\webex
2007-10-29 12:26 186,443 --a------ C:\WINDOWS\system32\atasnt40.dll
2007-10-29 12:26 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-27 19:14 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-11-27 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 12:47 --------- d-----w C:\Documents and Settings\Yali\Application Data\AVG7
2007-11-27 12:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-27 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 12:33 --------- d-----w C:\Program Files\CyberLink DVD Solution
2007-11-27 12:29 --------- d-----w C:\Program Files\Google
2007-11-27 11:01 --------- d-----w C:\Documents and Settings\Asaf\Application Data\MegauploadToolbar
2007-11-26 20:31 --------- d-----w C:\Documents and Settings\Asaf\Application Data\uTorrent
2007-11-26 18:50 --------- d-----w C:\Documents and Settings\Yali\Application Data\MEGAUPLOADTOOLBAR
2007-11-26 12:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 19:01 --------- d-----w C:\Documents and Settings\Guest\Application Data\MEGAUPLOADTOOLBAR
2007-11-25 18:53 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2007-11-20 13:01 --------- d-----w C:\Program Files\StepMania
2007-11-17 13:47 --------- d-----w C:\Documents and Settings\Asaf\Application Data\AVG7
2007-11-13 05:44 --------- d-----w C:\Program Files\uTorrent
2007-11-05 15:21 --------- d-----w C:\Program Files\ICQ6
2007-11-01 07:22 --------- d-----w C:\Documents and Settings\Asaf\Application Data\ICQ
2007-10-25 16:35 --------- d-----w C:\Program Files\phenomedia
2007-10-21 05:48 --------- d-----w C:\Documents and Settings\Asaf\Application Data\AccurateRip
2007-10-12 13:56 --------- d-----w C:\Program Files\Common Files\Real
2007-10-12 13:55 --------- d-----w C:\Program Files\Real
2007-10-02 12:20 --------- d-----w C:\Program Files\LittleFighter2
2006-07-19 22:12 604 ---ha-w C:\Program Files\STLL Notifier
2006-01-04 12:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-06-12 13:27 8 --sh--r C:\WINDOWS\system32\95F1427B7D.sys
2007-06-12 13:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-11 09:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 14:00 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bilbulon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-08 16:25 1397760 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

R2 IOSLINK;IOSLINK;\??\C:\WINDOWS\system32\drivers\IosLink.sys
S3 GGK;GGK;\??\C:\DOCUME~1\Ido\LOCALS~1\Temp\Rar$EX05.078\Hackz\ggk.sys
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 14:46:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 14:49:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-23 23:26
.
--- E O F ---

I also submitted the zip file

Thank you!

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:03 PM

Posted 02 December 2007 - 07:55 AM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users