Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis.log


  • This topic is locked This topic is locked
19 replies to this topic

#1 mrdogcat

mrdogcat

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 28 December 2007 - 10:44 AM

Hi my computer has started to take ages to function properly once Windows XP has started up. Also the HDD is constantly working reducing performance.

I've prepared my computer by doing the relevant scans for ad, mal and spyware, installed system updates and saved out a HijackThis log file.

Could someone please take a look at it for me and take me through what I need to do if there is anything that shouldn't be there?

Thanks


----------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43:25, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [defender] c:\\defender23.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Compaq Service Drivers] winsvc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Compaq Service Drivers] winsvc.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148596483202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148596917390
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\samapi.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: nTune Service (nTuneService) - Unknown owner - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9253 bytes

Edited by mrdogcat, 28 December 2007 - 07:41 PM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 28 December 2007 - 05:47 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mrdogcat
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 28 December 2007 - 07:46 PM

Hi RichieUK, and thanks for your speedy reply!

I've edited my first post to avoid unnecessary scrolling. So the HijackThis log should read how you want it.

Also below is the ComboFix log you needed:

PS. How on earth can you read any of this stuff and understand it!!! :blink: :thumbsup:


----------------------------


ComboFix 07-12-29.3 - Steve 2007-12-29 0:05:28.1 - NTFSx86
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steve\Application Data\Sskdmns.dll
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\icroso~1

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 18:59 . 2007-12-28 18:59 <DIR> d-------- C:\Program Files\LG Electronics
2007-12-28 18:58 . 2007-12-28 18:59 <DIR> d-------- C:\Program Files\LG PC Suite 2
2007-12-28 15:43 . 2007-12-28 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 00:18 . 2007-12-19 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-18 16:46 . 2007-12-18 16:46 <DIR> d-------- C:\Documents and Settings\Dada\Application Data\ATI
2007-12-16 21:31 . 2007-12-16 21:31 1,024 --a------ C:\WINDOWS\system32\ezmdy0r.tgz
2007-12-16 21:30 . 2007-12-16 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VertusTech
2007-12-13 19:11 . 2007-12-13 19:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-13 19:11 . 2007-12-13 19:11 22,328 --a------ C:\Documents and Settings\Steve\Application Data\PnkBstrK.sys
2007-12-13 19:10 . 2007-12-13 19:10 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-12-13 19:10 . 2007-12-13 19:10 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-12-13 19:10 . 2007-12-13 19:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-12-13 13:12 . 2007-12-18 01:58 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\DivX
2007-12-12 21:31 . 2007-12-12 21:31 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-12 19:08 . 2007-12-12 19:08 <DIR> d-------- C:\Program Files\DIFX
2007-12-12 18:58 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-12 18:58 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-12 18:58 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-12 18:58 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-12 18:58 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-12-12 18:43 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-12 18:43 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-12 18:43 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-12-12 13:36 . 2007-12-12 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\ICAClient
2007-12-12 13:36 . 2007-12-20 00:20 73 --a------ C:\WINDOWS\webica.ini
2007-12-12 13:34 . 2007-12-12 13:34 <DIR> d-------- C:\Program Files\Citrix
2007-12-11 21:22 . 2007-12-11 21:22 <DIR> d-------- C:\Program Files\RADVideo
2007-12-08 15:42 . 2007-12-08 15:42 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\ATI
2007-12-08 15:42 . 2007-12-08 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-12-08 15:25 . 2007-12-08 15:36 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-12-08 15:24 . 2007-11-01 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-12-08 15:24 . 2007-11-02 04:10 364,544 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-08 15:24 . 2007-11-02 03:35 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-12-08 15:24 . 2007-10-04 09:02 11,283 --a------ C:\WINDOWS\atiogl.xml
2007-12-08 15:24 . 2007-08-31 13:20 7,167 --a------ C:\WINDOWS\system32\atifglpf.xml
2007-12-08 15:23 . 2007-12-08 15:36 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-08 15:23 . 2007-06-27 01:30 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2007-12-08 15:23 . 2007-06-27 01:30 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2007-12-08 15:23 . 2007-04-18 12:19 1,311,202 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.cpa
2007-12-08 15:23 . 2007-11-02 03:39 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-12-08 15:23 . 2007-09-14 13:03 157,034 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-12-08 15:23 . 2007-09-09 02:37 47,360 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-12-08 15:23 . 2007-04-18 12:19 2,096 -ra------ C:\WINDOWS\system32\drivers\ativdkxx.vp
2007-12-08 15:23 . 2007-05-30 16:43 2,096 --a------ C:\WINDOWS\system32\drivers\ativckxx.vp
2007-12-08 15:23 . 2007-04-18 12:19 929 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.vp
2007-12-02 14:46 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-01 20:06 . 2007-12-01 20:06 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-11-29 01:00 . 2007-11-29 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 00:18 13,088,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-29 00:12 181,544 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-29 00:01 --------- d-----w C:\Documents and Settings\Steve\Application Data\Azureus
2007-12-28 19:31 --------- d-----w C:\Program Files\DivX
2007-12-28 18:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 03:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-27 12:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-24 14:02 --------- d-----w C:\Program Files\Azureus
2007-12-18 22:43 --------- d-----w C:\Program Files\Electronic Arts
2007-12-12 22:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-12-12 11:22 13,863,005 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-12 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-11 21:34 --------- d-----w C:\Documents and Settings\Steve\Application Data\Bioshock
2007-12-01 20:01 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-29 22:30 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-28 15:21 512 ----a-w C:\ScanSectorLog.dat
2007-11-28 01:25 --------- d-----w C:\Program Files\Java
2007-11-26 21:56 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-11-26 21:56 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-02 05:52 2,644,480 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-11-02 03:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 03:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-04 17:14 5,783,424 ------w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 17:14 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-10-04 17:14 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-10-04 17:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 17:14 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-10-04 17:14 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-10-04 17:14 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-10-04 17:14 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-10-04 17:14 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-10-04 17:14 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-08-13 10:58 19,239,481 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_12_03_21_09_full.dmp.zip
2007-06-12 19:44 18,900,112 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_31_18_19_24_full.dmp.zip
2006-11-25 15:09 81,920 ----a-w C:\Documents and Settings\Steve\Application Data\ezpinst.exe
2006-11-25 15:09 47,360 ----a-w C:\Documents and Settings\Steve\Application Data\pcouffin.sys
2006-12-19 21:49 80,672 --sha-w C:\WINDOWS\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuru"="C:\Program Files\ABIT\ABIT uGuru\uGuru.exe" [2004-09-13 12:37]
"GuruClock"="C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe" [2004-11-08 13:23]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 21:48]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-06-29 05:24]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 C:\WINDOWS\soundman.exe]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 11:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Telecoms Center"="telcoms.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"Compaq Service Drivers"="winsvc.exe" []
"Microsoft Telecoms Center"="telcoms.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Service Drivers"="winsvc.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 11:00 69632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 uGuru;uGuru;C:\WINDOWS\system32\Drivers\uGuru.sys [2004-08-04 12:56]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 10:22]
S2 klmc;klmc;C:\WINDOWS\system32\Drivers\klmc.sys []
S3 Memctl;Memctl;C:\Program Files\ABIT\ABIT uGuru\Memctl.sys [2001-11-29 03:49]
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-07-20 05:20]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 19:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-29 00:17:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 00:26:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll
.
Completion time: 2007-12-29 0:33:28 - machine was rebooted [Steve]
.
2007-12-22 12:46:01 --- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 28 December 2007 - 08:02 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ezmdy0r.tgz
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Telecoms Center"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq Service Drivers"=-
"Microsoft Telecoms Center"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Service Drivers"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 December 2007 - 08:17 AM

OK Here is the ComboFix Log:


-----------------------------------------------


ComboFix 07-12-29.3 - Steve 2007-12-29 12:58:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.567 [GMT 0:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ezmdy0r.tgz
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ezmdy0r.tgz

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 18:59 . 2007-12-28 18:59 <DIR> d-------- C:\Program Files\LG Electronics
2007-12-28 18:58 . 2007-12-28 18:59 <DIR> d-------- C:\Program Files\LG PC Suite 2
2007-12-28 15:43 . 2007-12-28 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 00:18 . 2007-12-19 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-18 16:46 . 2007-12-18 16:46 <DIR> d-------- C:\Documents and Settings\Dada\Application Data\ATI
2007-12-16 21:30 . 2007-12-16 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VertusTech
2007-12-13 19:11 . 2007-12-13 19:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-13 19:11 . 2007-12-13 19:11 22,328 --a------ C:\Documents and Settings\Steve\Application Data\PnkBstrK.sys
2007-12-13 19:10 . 2007-12-13 19:10 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-12-13 19:10 . 2007-12-13 19:10 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-12-13 19:10 . 2007-12-13 19:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-12-13 13:12 . 2007-12-18 01:58 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\DivX
2007-12-12 21:31 . 2007-12-12 21:31 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-12 19:08 . 2007-12-12 19:08 <DIR> d-------- C:\Program Files\DIFX
2007-12-12 18:58 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-12 18:58 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-12 18:58 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-12 18:58 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-12 18:58 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-12-12 18:43 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-12 18:43 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-12 18:43 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-12-12 13:36 . 2007-12-12 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\ICAClient
2007-12-12 13:36 . 2007-12-20 00:20 73 --a------ C:\WINDOWS\webica.ini
2007-12-12 13:34 . 2007-12-12 13:34 <DIR> d-------- C:\Program Files\Citrix
2007-12-11 21:22 . 2007-12-11 21:22 <DIR> d-------- C:\Program Files\RADVideo
2007-12-08 15:42 . 2007-12-08 15:42 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\ATI
2007-12-08 15:42 . 2007-12-08 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-12-08 15:25 . 2007-12-08 15:36 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-12-08 15:24 . 2007-11-01 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-12-08 15:24 . 2007-11-02 04:10 364,544 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-08 15:24 . 2007-11-02 03:35 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-12-08 15:24 . 2007-10-04 09:02 11,283 --a------ C:\WINDOWS\atiogl.xml
2007-12-08 15:24 . 2007-08-31 13:20 7,167 --a------ C:\WINDOWS\system32\atifglpf.xml
2007-12-08 15:23 . 2007-12-08 15:36 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-08 15:23 . 2007-06-27 01:30 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2007-12-08 15:23 . 2007-06-27 01:30 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2007-12-08 15:23 . 2007-04-18 12:19 1,311,202 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.cpa
2007-12-08 15:23 . 2007-11-02 03:39 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-12-08 15:23 . 2007-09-14 13:03 157,034 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-12-08 15:23 . 2007-09-09 02:37 47,360 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-12-08 15:23 . 2007-04-18 12:19 2,096 -ra------ C:\WINDOWS\system32\drivers\ativdkxx.vp
2007-12-08 15:23 . 2007-05-30 16:43 2,096 --a------ C:\WINDOWS\system32\drivers\ativckxx.vp
2007-12-08 15:23 . 2007-04-18 12:19 929 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.vp
2007-12-02 14:46 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-01 20:06 . 2007-12-01 20:06 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-11-29 01:00 . 2007-11-29 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 13:05 13,167,648 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-29 03:05 182,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-29 00:01 --------- d-----w C:\Documents and Settings\Steve\Application Data\Azureus
2007-12-28 19:31 --------- d-----w C:\Program Files\DivX
2007-12-28 18:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 03:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-27 12:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-24 14:02 --------- d-----w C:\Program Files\Azureus
2007-12-18 22:43 --------- d-----w C:\Program Files\Electronic Arts
2007-12-12 22:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-12-12 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-11 21:34 --------- d-----w C:\Documents and Settings\Steve\Application Data\Bioshock
2007-12-01 20:01 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-28 15:21 512 ----a-w C:\ScanSectorLog.dat
2007-11-28 01:25 --------- d-----w C:\Program Files\Java
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-02 05:52 2,644,480 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-11-02 03:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2006-11-25 15:09 81,920 ----a-w C:\Documents and Settings\Steve\Application Data\ezpinst.exe
2006-11-25 15:09 47,360 ----a-w C:\Documents and Settings\Steve\Application Data\pcouffin.sys
2006-12-19 21:49 80,672 --sha-w C:\WINDOWS\fidbox.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-29_ 0.31.56.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-29 00:14:20 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-12-29 12:29:40 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuru"="C:\Program Files\ABIT\ABIT uGuru\uGuru.exe" [2004-09-13 12:37]
"GuruClock"="C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe" [2004-11-08 13:23]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 21:48]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-06-29 05:24]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 C:\WINDOWS\soundman.exe]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 11:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 11:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 11:00 69632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 uGuru;uGuru;C:\WINDOWS\system32\Drivers\uGuru.sys [2004-08-04 12:56]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 10:22]
S2 klmc;klmc;C:\WINDOWS\system32\Drivers\klmc.sys []
S3 Memctl;Memctl;C:\Program Files\ABIT\ABIT uGuru\Memctl.sys [2001-11-29 03:49]
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-07-20 05:20]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 19:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-29 12:31:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 13:05:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 13:06:06
C:\ComboFix2.txt ... 2007-12-29 00:33
.
2007-12-22 12:46:01 --- E O F ---

#6 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 December 2007 - 08:19 AM

And the new HijackThis log:

BTW I had to restart my machine after the ComboFix scan as my internet wasn't working. Would this matter?


---------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:21, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148596483202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148596917390
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: nTune Service (nTuneService) - Unknown owner - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8414 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 29 December 2007 - 09:35 AM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#8 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 December 2007 - 12:20 PM

Hi RichieUK, thanks so much for looking into this for me. I disabled my anti virus/spyware program while doing the ComboFix scan as I didn't want it to interfere with the scan.

My machine seems to be running a little faster and my HDD doesn't seem to be running all the time. I'll let you know if I come accross any problems later on as I use it more.

I have come across a new problem now however. On some websites my browser (firefox) is displaying them funny (not showing some graphics/functions etc. See attached screengrab). Any ideas what's happening? Pages work fine in IE.

Also below are the SUPERAntiSpyware and HijackThis logs. Thanks again.


---------------------------



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2007 at 05:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3370
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:01:58

Memory items scanned : 522
Memory threats detected : 0
Registry items scanned : 6400
Registry threats detected : 0
File items scanned : 63854
File threats detected : 1

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\STEVE\FAVORITES\ONLINE SECURITY TEST.URL




-------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:29, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148596483202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148596917390
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: nTune Service (nTuneService) - Unknown owner - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8604 bytes

Attached Files



#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 29 December 2007 - 01:09 PM

I disabled my anti virus/spyware program while doing the ComboFix scan as I didn't want it to interfere with the scan.

You'ed better enable your antivirus program now or you'll end up with more problems.

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

I have come across a new problem now however. On some websites my browser (firefox) is displaying them funny (not showing some graphics/functions etc. See attached screengrab). Any ideas what's happening? Pages work fine in IE.

First backup your bookmarks in Firefox.
How to Back-Up Bookmarks in Firefox:
http://www.nirmaltv.com/2007/07/25/how-to-...rks-in-firefox/

Now try creating a new profile within Firefox by following these instructions:
http://www.mozilla.org/support/firefox/profile#new

Now import your bookmarks following the info in the link at the top.

Restart your pc.
Let me know how your pc is running now please.
Posted Image
Posted Image

#10 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 29 December 2007 - 06:14 PM

So far it seems to be running much smoother and the Firefox thing seemed to fix itself one I simply added a new profile which I've now deleted and just continued to use the original one.

Are there any other steps I need to do? What do you think it was that was causing the problems?

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 29 December 2007 - 06:39 PM

Are there any other steps I need to do?

Nope,we're done,you're good to go.

What do you think it was that was causing the problems?

This was your main issue,VIDEOACCESSCODEC:
http://www.fileresearchcenter.com/V/VIDEOA....OCX-11106.html
Posted Image
Posted Image

#12 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 30 December 2007 - 08:46 AM

Just booted up now and noticed that all my try icons are taking ages to appear...Worryingly ZoneAlarm my antivirus and spyware scanner. And the HDD is still working overtime (probably trying to load everything up).

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 December 2007 - 09:02 AM

Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.
*IMPORTANT*
Do NOT run any other options until you are asked to do so!
*NOTE*
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes.
Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Also post a new Hijackthis log.
Posted Image
Posted Image

#14 mrdogcat

mrdogcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 31 December 2007 - 11:11 PM

Here's the scan report:


Scanning Report
Monday, December 31, 2007 14:29:33 - 18:54:35

Computer name: PC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 6 malware found
Spybot.dam.dropper (virus)

* C:\Documents and Settings\Steve\Desktop\CS3_Keygens\-CS3 Keygens-\Adobe CS3 Keygens\PhotoShop CS3 Extended Keygen + Activation.exe (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System

W32/Smalldrp.NTG (virus)

* C:\Documents and Settings\Steve\Desktop\CS3_Keygens\-CS3 Keygens-\Adobe CS3 Keygens\Adobe Photoshop CS3 Extended VOLUME LICENSE KEYGEN.exe (Submitted)

W32/Spybot.dam (virus)

* C:\Documents and Settings\Steve\Desktop\CS3_Keygens\-CS3 Keygens-\Adobe CS3 Keygens\Acrobat 8 keygen + Activation.exe (Submitted)

Statistics
Scanned:

* Files: 885913
* System: 4862
* Not scanned: 465

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 5
* Submitted: 3

Files not scanned:

H{�P�@="1">C:\PAGEFILE.SYSC:\SCANSECTORLOG.DATC:\WINDOWS\TEMP\ZLT02083.TMPC:\WINDOWS\SYSTEM32\BIOS1.ROMC:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYSC:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.DATC:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYSC:\WINDOWS\SYSTEM32\CONFIG\DEFAULTC:\WINDOWS\SYSTEM32\CONFIG\SAMC:\WINDOWS\SYSTEM32\CONFIG\SECURITYC:\WINDOWS\SYSTEM32\CONFIG\SYSTEMC:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOGC:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDBC:\Program Files\Zone Labs\ZoneAlarm\instmtdr.exe\FILE0020.DATroot.imgC:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\FACES.R8C:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\GASPUMP1.R8C:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\NCALL.R8C:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\PARTH.R8C:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\SMOKE_BK.R8C:\PROGRAM FILES\MICROSOFT GAMES\MICROSOFT FLIGHT SIMULATOR X\TEXTURE\SMOKE_WT.R8C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.sknC:\Program Files\Common Files\Adobe\Installers\Adobe Color Common Settings 1.0.1.log.gz\Adobe Color Common Settings 1.0.1.logOvergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawUndergrowth.rawovergrowth/Overgrowth.rawovergrowth/Overgrowth.rawHeightmapSecondary_L1U1.rawHeightmapSecondary_R1.rawHeightmapSecondary_R1U1.rawHeightmapSecondary_U1.rawovergrowth/Overgrowth.rawUndergrowth.rawovergrowth/Overgrowth.rawovergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawovergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawovergrowth/Overgrowth.rawovergrowth/Overgrowth.rawovergrowth/OvergrowthShadowmap.rawUndergrowth.rawovergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawOvergrowth/OvergrowthShadowmap.rawovergrowth/Overgrowth.rawovergrowth/Overgrowth.rawovergrowth/Overgrowth.rawOvergrowth/Overgrowth.rawOvergrowth/OvergrowthShadowmap.rawovergrowth/Overgrowth.rawHeightmapSecondary_U1.rawovergrowth/Overgrowth.rawOvergrowth/Overgrowth.raw

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-12-26
* F-Secure AVP: 7.0.171, 2007-12-30
* F-Secure Orion: 1.2.37, 2007-12-31
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 2007-11-28
* F-Secure Pegasus: 1.19.0, 2007-11-30

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.





----------------------------------------------





Here's the SmitFraudFix log:



SmitFraudFix v2.274

Scan done at 3:29:22.06, 01/01/2008
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Steve


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Steve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Steve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B2EBF137-3669-4DAA-8F99-73198C534FF7}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B2EBF137-3669-4DAA-8F99-73198C534FF7}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B2EBF137-3669-4DAA-8F99-73198C534FF7}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B2EBF137-3669-4DAA-8F99-73198C534FF7}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



And here's the newest HijackTis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:07:42, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148596483202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148596917390
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: nTune Service (nTuneService) - Unknown owner - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8330 bytes



Thanks again!!

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 01 January 2008 - 06:33 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Documents and Settings\Steve\Desktop\CS3_Keygens

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Your Hijackthis log is clean.
Hows your pc running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users