Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Scprot4.exe Please Help


  • Please log in to reply
4 replies to this topic

#1 Dean_whu

Dean_whu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 November 2007 - 11:22 PM

Hello there, I really need some help please. I already have spybot and adaware and my own anti-virus program. I downloaded a file and checked it for any viruses and it came up clean. Unfortunately it so happens the file was malware and has infected my
system with Scprot4.exe and the fake security center screen.

I have run the afore mentioned programs a couple of times, plus the others you recommend in the tutorial for malware removal. The internet explorer ones (i.e) panda etc found a lot of problems but I believe may have crashed at some point.
Betwen running all these programs some of the files I was suspicious about have been removed. There is one folder I cannot remove manually saying it is in use, titled: SecCenter and containing Scprot4.exe! Obviously I could do without that being there!

I am aware that other people have suffered with this before, however, I did not simply want to follow the eact same procedure, believing it could manifest itself in different ways.

I thoroughly appreciate any help you are able to give me. Thank you in advance for your time.

Below is my HijakThis log file. I look forward to hearing from you.

Regards, Dean

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:21:43, on 26/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\CheckPoint\Integrity Client\iclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
E:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Syrius Updater\SyriusUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whufc.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Qsermfgk\juggkcvd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\yayxuuu.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] e:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "e:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iHP-100] E:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "e:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [pcdafgpo] rundll32.exe "C:\Program Files\pcdafgpo\nkjuhcxa.dll",Init
O4 - HKLM\..\Run: [slyfwjmf] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\slyfwjmf.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [mzsxmdch] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mzsxmdch.dll"
O4 - HKLM\..\Run: [dmlslwli] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dmlslwli.dll"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = E:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Syrius Updater.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - E:\PROGRA~1\VCPOKE~1\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EB7C6E1-56F8-4100-9FBA-458F429552ED}: NameServer = 90.207.238.97,87.86.189.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
O20 - Winlogon Notify: yayxuuu - C:\WINDOWS\SYSTEM32\yayxuuu.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - e:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8415 bytes

BC AdBot (Login to Remove)

 


#2 Dean_whu

Dean_whu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 November 2007 - 07:08 AM

Hello, is anyone able to help please? I am having great trouble with this...

Thanks again, Dean.

#3 Dean_whu

Dean_whu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 November 2007 - 08:32 AM

Hello, to speed things along I have followed the first step from a similar problem.

Below are my Combofix and new hijakthis logs.....Thanks again.




ComboFix 07-11-19.4 - Joan Thornhill 2007-11-26 13:21:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT 0:00]
Running from: C:\Documents and Settings\Joan Thornhill\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ghwpudyn.dll
C:\Documents and Settings\Joan Thornhill\Application Data\inst.exe
C:\Documents and Settings\Joan Thornhill\My Documents\DOBE~1
C:\Documents and Settings\Joan Thornhill\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Joan Thornhill\My Documents\DOBE~1\spoolsv.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-26 13:07 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-11-26 13:06 <DIR> d-------- C:\Program Files\Ozywaslk
2007-11-26 12:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-26 12:19 <DIR> d-------- C:\Program Files\Symantec
2007-11-26 12:19 <DIR> d-------- C:\Program Files\SAV93TMP
2007-11-26 01:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-26 01:48 <DIR> d-------- C:\Program Files\Qsermfgk
2007-11-26 01:48 131,072 --a------ C:\Documents and Settings\All Users\Application Data\dmlslwli.dll
2007-11-25 23:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 23:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 23:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-25 23:27 <DIR> d-------- C:\Documents and Settings\Joan Thornhill\.housecall6.6
2007-11-25 21:49 <DIR> d-------- C:\Program Files\Dforkbgz
2007-11-25 21:47 <DIR> d-------- C:\WINDOWS\system32\vgfddwtv
2007-11-25 21:47 <DIR> d-------- C:\Program Files\pcdafgpo
2007-11-25 21:47 <DIR> d-------- C:\Program Files\Ldvwcjsi
2007-11-25 21:47 131,072 --a------ C:\Documents and Settings\All Users\Application Data\slyfwjmf.dll
2007-11-25 21:47 150 --a------ C:\temp2.bat
2007-11-25 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-25 21:28 <DIR> d-------- C:\Program Files\ContextTool
2007-11-16 14:26 <DIR> d-------- C:\Program Files\Diner Dash Flo on the Go
2007-11-16 14:26 <DIR> d-------- C:\Program Files\BFG
2007-11-16 11:48 <DIR> d-------- C:\Documents and Settings\Joan Thornhill\Application Data\PlayFirst
2007-11-16 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-16 11:47 <DIR> d-------- C:\WINDOWS\Diner Dash
2007-11-16 11:47 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-11-16 11:47 <DIR> d-------- C:\Program Files\Diner Dash 2
2007-11-16 11:47 <DIR> d-------- C:\Program Files\Diner Dash
2007-11-15 18:45 <DIR> d---s---- C:\Documents and Settings\Joan Thornhill\UserData
2007-10-26 20:03 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 13:26 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\Skype
2007-11-26 13:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-26 13:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 12:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-26 00:11 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-25 23:58 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-11-25 23:58 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-25 21:37 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\uTorrent
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-24 14:24 --------- d-----w C:\Program Files\Yahoo!
2007-10-20 22:17 --------- d-----w C:\Program Files\MP3 Wav Editor
2007-10-17 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2007-10-17 16:53 --------- d-----w C:\Program Files\Common Files\River Past
2007-10-17 16:53 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\River Past G5
2007-10-17 16:48 47,360 ----a-w C:\Documents and Settings\Joan Thornhill\Application Data\pcouffin.sys
2007-10-17 16:48 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\Vso
2007-10-17 16:44 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-10-15 19:05 --------- d-----w C:\Program Files\MSN Messenger
2007-10-15 14:14 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-14 15:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-13 21:37 --------- d-----w C:\Program Files\uTorrent
2007-10-13 21:25 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\NewsLeecher
2007-09-29 20:14 --------- d-----w C:\Documents and Settings\Joan Thornhill\Application Data\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
2007-11-26 01:48 131072 --a------ C:\Program Files\Qsermfgk\juggkcvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35BFEF80-9814-0F5F-9961-0444D2412BD9}]
2007-11-26 13:06 102400 --a------ C:\Program Files\Ozywaslk\wywgrmse.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
2007-11-25 21:47 37376 --------- C:\WINDOWS\system32\yayxuuu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-05 17:35]
"updateMgr"="E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"NBJ"="E:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-04 01:07 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 05:42 C:\WINDOWS\soundman.exe]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 02:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 16:26]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 14:21]
"HPHUPD05"="E:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-04-01 10:33]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 15:41]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-05-05 05:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"InCD"="e:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-13 21:07]
"RemoteControl"="e:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"iHP-100"="E:\Program Files\iRiver\iHP100\iHPDetect.exe" [2003-09-30 17:16]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-02-13 22:46]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:07 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:07 C:\WINDOWS\system32\rundll32.exe]
"CloneCDTray"="e:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 13:47]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - E:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 12:23:32]
Syrius Updater.lnk - C:\WINDOWS\Installer\{964A0E79-160F-4F5F-97D0-9C03CFA434FA}\Icon964A0E79.exe [2007-08-21 19:00:29]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED203331-9C33-49D8-8714-D24A366A04EC}"= C:\WINDOWS\system32\yayxuuu.dll [2007-11-25 21:47 37376]
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32]
winmqx32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxuuu]
yayxuuu.dll 2007-11-25 21:47 37376 C:\WINDOWS\system32\yayxuuu.dll

R3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 13:02:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 13:25:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 13:27:40 - machine was rebooted
.
--- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:27, on 26/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Syrius Updater\SyriusUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\CheckPoint\Integrity Client\iclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whufc.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Qsermfgk\juggkcvd.dll
O2 - BHO: (no name) - {35BFEF80-9814-0F5F-9961-0444D2412BD9} - C:\Program Files\Ozywaslk\wywgrmse.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\yayxuuu.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] e:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "e:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iHP-100] E:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "e:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = E:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Syrius Updater.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - E:\PROGRA~1\VCPOKE~1\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EB7C6E1-56F8-4100-9FBA-458F429552ED}: NameServer = 90.207.238.97,87.86.189.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
O20 - Winlogon Notify: yayxuuu - C:\WINDOWS\SYSTEM32\yayxuuu.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - e:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8277 bytes

#4 Dean_whu

Dean_whu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 05 December 2007 - 11:27 AM

Cheers for your help, worth signing up for......

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:56 PM

Posted 11 December 2007 - 02:42 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.


Let's uninstall ComboFix
  • Click on : Start >> Run...
  • Type: Combofix /u and hit Enter
Then,
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

Doing this allows me to work with the latest version of Combofix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users