Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Trojans And Redirects


  • This topic is locked This topic is locked
15 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 12 January 2008 - 08:07 PM

UPDATE: QuietMan7 is helping me on the What do i do section? where i posted first, and so far, i had a total system failure running SDFix so just wanted to let anyone know no go so far.

Hello dear Friends at Bleeping,
Well, here i am , got some pesky and stubborn trojans I can't seem to get rid of with the anti virus tools i use regularly, here is my info:

Hello and thanks for any help.

I have been working to clean out some trojans and a smith attack, and today found that I can't sometimes select the first one or two topics of a google search, i get redirected, i had a heck of a time getting the latest install of Sun JAVA today, and had to come here to find a good link, as all the links i tried including SUN's i got redirected. So i suspect a virus is trying to protect itself from being cleaned.

I run AVG all the time and Outpost firewall and have been running Spybot and AdAware several times a day and also the AVG scan, i get hits sometimes and yesterday i cleaned out ALL the reported bad files from the AVG list including several in the SUN Java folders, and ended up with a weird error message saying a memory address could not be read.

the instruction at "0x13141d4e" referenced memory at "0x131424e".
The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

OK Cancel

I thought i had better uninstall JAVA and did and reinstalled it and that error seems to have gone but I got an error report and a Generic Host Process Alert after re installing JAVA and it said:


Generic HOst process for Win32 Sesrvices encountered a problem and needed to close

This error occured on 1/12/2008 at: 11:40:03AM


EventType: BEX P1:svchost.exe P2:5.1.2600.2180 P3: 41107ed6
P4:svhost.exe P5:5.2600.2180 P6:41107ed6 P7:00001d4e P8:c0000005
P9:00000008

C:/DOCUME~Owner/LOCALS!~\Temp\WER329e.dir00\svchost.exe.mdmp
C;\DOCUME!1Owner\LOCALS~1\TempWER3293dir00\appcompat.txt

so something was trying to get out....

I have the main tools still installed as you guys have saved my compy before, and I am soo grateful. I am willing to do whatever i can to try to get the pesky stuff out, but at this point it is not showing up easily in the bug scans. Can you help me?

I have an AMD 3400 running at 2.6 ghz, 400 GB Hd Drive, 2.5 GB RAM, XP Pro SP2, and am somewhat comp saavy so can follow your instructions pretty well, just need to know exactly where to look for what is hiding in my system.

As i was just running a Spybot scan about 20 mins ago, i got an alert from AVG that there was a Trojan Backdoor Generic c_AEW Object name smtpdrv.sys, in C:WINDOWS\system32\drivers\ as i had scanned earlier and it has not showed up i dont knwo how it got there but i moved it to the virus AVG vault.

The AVG scan also found a cs2fg53311.exe Trojan horse Sheur.ALOS in C:\WINDOWS\system32\ and that is in the vault too. I am hesitant to try to go looking for infected files and moving them by hand into trash and deleting them after that problem that happened with the SUN Java infected files that caused the error yesterday.

Soooo, can you help? I will do all the scans and steps you suggest and await instructions. I will go ahead and do a Hijack This log and follow the intructions over there, after reviewing that section again (it has been a while since i did a session here) i realize i need to post my help request over there. thanks.

I ran Spybot, AVG, AdAware, and tried to run BitDefender but it would not update past 93% so i could not run it, ran McFee and then Hijack This:

My Hijack This Scan today:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:26 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\cssrss.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no

file)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) -

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer -

{C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program

Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe"

/STARTUP
O4 - HKLM\..\Run: [NVRaidService]

C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall]

C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210]

"C:\DOCUME~1\Owner\LOCALS~1\Temp\install_en.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe

-silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66}

- C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8

- {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan

Object) -

http://www.kaspersky.com/kos/eng/partner/d...bscan_unicode.c

ab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro

ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...l/native/x86/wi

n32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl

Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.microsoft.com/windowsupdate/...s/en/x86/client

/wuweb_site.cab?1177365219921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System

Requirements Lab) -

http://www.nvidia.com/content/DriverDownlo....1/sysreqlab2.c

ab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.

- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner -

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file

missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) -

Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown

owner - C:\Program

Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Microsoft Int Service - Unknown owner -

C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum -

C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PnkBstrA - Unknown owner -

C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program

Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket

Division Software - C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony

DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8965 bytes

I am not sure how to turn on subcriptions or notifications so i will keep an eye on this thread. thanks for any help.

Edited by CrisGer, 13 January 2008 - 12:44 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 28 January 2008 - 01:49 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.

#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 29 January 2008 - 04:14 PM

Hi Grinler, thanks i figured out as much.

My system froze trying to run SDFix and I could not reboot, no way, I have a local tech who saved my computer, he had to remove the hard drive and tweak but he got the system back to life. He removed a trojan and i got several more, but since then i think we are much better, there are still some trojans hidden in one of the old restore files, is it best to just remove those restore points?

I am a bit scared to retry SDFix in case things freeze up again, my uneducated guestimate is that one of the trojans had a self defense package that tried to keep us from running cleaners...

I will re run hijack later today and do the other things first. so you can take a look thanks again for your hellp.

I had to decide NOT to reformat completely as i am involved in several important projects with LucasArts and other Game commpanies and cant break my work stream right now even for the day to reformat, so i am hoping if there is problme i can clean and keep going. i will post a new log in a bit, and i thank you again and hope all is well ...you guys are angels.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 29 January 2008 - 04:18 PM

Not a problem. Do this instead for when you post back:
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#5 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 03 February 2008 - 12:18 AM

OK Grimler, sorry for delay,
I ran the scansand Combofix worked great, found some stuff and there is also something called
sml1.browercast.com at 207.226.164.195 continuially trying to open a connection>....how do i stop that or disable it?
I have outpost firewall but was not sure how to find what program is trying to get out.

anyway, here are the logs;

combofix

ComboFix 08-02.03.1 - Owner 2008-02-02 21:50:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.545 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\config\SAM.SAV
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\drivers\smtpdrv.sys

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\Driver
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\ie_updater.exe
2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\Documents and Settings\Owner\ie_updates3r.exe
2008-02-01 20:07 . 2008-02-01 20:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 20:07 . 2008-02-01 20:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Program Files\Download Manager
2008-01-14 17:21 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-14 17:21 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 16:57 . 2008-01-14 16:58 <DIR> d--h----- C:\ErdUndoCache
2008-01-14 16:57 . 2003-01-29 02:45 69,632 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-01-14 16:57 . 2004-08-03 23:00 29,056 --a--c--- C:\WINDOWS\system32\dllcache\ip6fw.sys
2008-01-14 08:51 . 2003-07-31 02:01 69,120 --a------ C:\WINDOWS\system32\SilSupp.cpl
2008-01-14 08:51 . 2003-09-04 05:45 55,144 --a------ C:\WINDOWS\system32\drivers\si3112.sys
2008-01-14 08:51 . 2003-06-09 10:56 10,112 --a------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2008-01-13 08:52 . 2008-01-13 08:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 08:49 . 2008-01-13 09:02 <DIR> d-------- C:\SDFix
2008-01-13 08:39 . 2008-01-13 08:39 4,928 --a------ C:\WINDOWS\system32\lv0VmL.syz
2008-01-12 21:00 . 2008-01-12 21:00 4,928 --a------ C:\WINDOWS\system32\XDqb8Y.syz
2008-01-12 15:54 . 2008-01-12 15:54 4,928 --a------ C:\WINDOWS\system32\6qslYe.syz
2008-01-12 11:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 11:31 . 2008-01-12 11:32 <DIR> d-------- C:\Program Files\Java
2008-01-12 11:30 . 2008-01-12 11:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-12 11:17 . 2008-01-12 11:17 4,928 --a------ C:\WINDOWS\system32\pAUMUd.syz
2008-01-12 07:11 . 2008-01-12 07:11 4,928 --a------ C:\WINDOWS\system32\hGQouz.syz
2008-01-12 06:00 . 2008-01-12 06:00 4,928 --a------ C:\WINDOWS\system32\sSBe9M.syz
2008-01-11 08:07 . 2008-01-11 08:07 4,928 --a------ C:\WINDOWS\system32\YaL1hF.syz
2008-01-10 12:50 . 2008-01-10 12:50 4,928 --a------ C:\WINDOWS\system32\PXQx4r.syz
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\1A.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\19.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\18.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\17.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\16.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\15.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\14.tmp
2008-01-10 11:17 . 2008-01-10 11:17 0 --a------ C:\13.tmp
2008-01-10 11:15 . 2008-01-10 11:15 24,832 --a------ C:\WINDOWS\system32\drivers\Ubh05.sys
2008-01-10 11:15 . 2008-01-10 11:15 311 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-10 11:15 . 2008-01-10 11:15 12 --a------ C:\WINDOWS\system32\svchost.t__
2008-01-10 11:15 . 2008-01-10 11:15 8 --a------ C:\WINDOWS\system32\404206270
2008-01-09 15:44 . 2001-08-27 08:45 503,808 -ra------ C:\WINDOWS\system32\N67WUD.DLL
2008-01-09 15:44 . 2001-05-25 04:38 393,264 -ra------ C:\WINDOWS\system32\N067u.dat
2008-01-09 15:44 . 2002-04-12 20:17 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-01-09 15:44 . 2001-08-27 08:44 118,784 -ra------ C:\WINDOWS\system32\N67WIMG.DLL
2008-01-09 15:38 . 2000-04-12 20:02 119,808 -ra------ C:\WINDOWS\system32\ITLIB32.DLL
2008-01-09 15:38 . 2000-04-12 20:02 45,056 -ra------ C:\WINDOWS\system32\CANOIT32.EXE
2008-01-08 19:30 . 2008-01-08 19:33 <DIR> d-------- C:\DeusEx
2008-01-05 13:52 . 2008-01-05 13:52 0 --a------ C:\WINDOWS\Twunk002.MTX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 04:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-02-03 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-03 01:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-01 05:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:03 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-01-18 23:45 --------- d-----w C:\Program Files\Funcom
2008-01-14 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 01:34 --------- d-----w C:\Program Files\EA GAMES
2008-01-06 22:08 --------- d-----w C:\Program Files\Common Files\DAZ
2008-01-02 22:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 22:03 --------- d-----w C:\Program Files\Doom 3
2008-01-02 22:02 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2008-01-02 22:00 --------- d-----w C:\Program Files\Audio Converter
2008-01-02 16:10 --------- d-----w C:\Program Files\QuickPar
2008-01-02 01:16 --------- d-----w C:\Program Files\LucasArts
2008-01-01 18:39 --------- d-----w C:\Program Files\Q3E Minimizer v1.51
2007-12-31 20:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-12-31 16:13 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 03:00 --------- d-----w C:\Program Files\DivX
2007-12-29 02:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-27 17:37 --------- d-----w C:\Program Files\Eidos Interactive
2007-12-27 06:25 --------- d-----w C:\Program Files\The Legend of Lotus Spring
2007-12-24 20:29 --------- d-----w C:\Program Files\GameSpy
2007-12-24 20:26 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-12-24 20:26 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 20:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-24 20:26 22,328 ----a-w C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-12-24 20:26 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-24 20:11 --------- d-----w C:\Program Files\Electronic Arts
2007-12-24 17:25 --------- d-----w C:\Program Files\The Adventure Company
2007-12-24 08:56 --------- d-----w C:\Program Files\HyCam2
2007-12-23 18:37 --------- d-----w C:\Program Files\ScummVM
2007-12-23 17:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ScummVM
2007-12-21 18:43 --------- d-----w C:\Program Files\MimarSinan CompreXX mk4
2007-12-21 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\{0A3EDBAE-2B00-4FD1-B634-A472E0AB8AE7}
2007-12-21 18:17 --------- d-----w C:\Program Files\Smith Micro
2007-12-19 02:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-12-14 06:57 --------- d-----w C:\Program Files\QuickTime
2007-12-14 02:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-13 23:55 216,064 ----a-w C:\WINDOWS\iun3405.exe
2007-12-10 01:35 --------- d-----w C:\Program Files\DOSBox-0.65
2007-12-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-06 05:29 --------- d-----w C:\Program Files\The Babylon Project
2007-12-05 22:24 --------- d-----w C:\Program Files\Wing Commander Saga Prologue
2007-12-05 22:17 --------- d-----w C:\Program Files\OpenAL
2007-12-05 09:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 08:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 08:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 08:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 08:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 08:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 08:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 08:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 08:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 08:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 08:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 08:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 08:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 08:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 08:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 08:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 08:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 08:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 08:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 08:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 08:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 08:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 08:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 08:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 08:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 08:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 08:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 08:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 08:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2005-11-28 23:35 7,486,947 ----a-w C:\Documents and Settings\Owner\Prodigal.exe
2005-11-28 23:35 49,177 ----a-w C:\Documents and Settings\Owner\winsetup.exe
2005-06-05 15:48 45,056 ----a-w C:\Documents and Settings\Owner\AGS_Fire.dll
2002-07-04 18:28 223,744 ----a-w C:\Documents and Settings\Owner\alleg40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-17 10:57 1581056]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-12-07 11:55 1266936]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 14:18 23233576]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:24 579072]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 11:15 83968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"CTHelper"="CTHELPER.EXE" [2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 15:20 78848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 08:24 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6B30A5C0-F58B-4E0A-9E03-ED83331CB2B6}"= C:\WINDOWS\system32\winSpy32.dll [ ]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F61FBB}"= C:\WINDOWS\system32\kb1sskp.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ChkKernel"= {36842551-01f8-45e6-8c36-cf8084158294} - C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll [2008-02-02 16:42 12838]
"AlrtDrv"= {815ae73e-d22f-49d5-b087-dedc9e278c1c} - C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll [2008-02-02 16:42 12838]
"zip"= {6452e875-9c93-4b74-850c-e87ccabfdf7b} - C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll [2008-02-02 21:41 38950]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NWCWorkstation"=2 (0x2)

R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2003-09-04 05:45]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-06-09 10:56]
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 15:19]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-07-20 06:37]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 15:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 15:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 15:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 15:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 15:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 15:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 15:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 15:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 15:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 15:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 15:20]
S0 si3112r;si3112r;C:\WINDOWS\system32\drivers\si3112r.sys [2003-02-24 04:21]
S2 Microsoft P2P2 Service;Microsoft P2P2 Service;C:\WINDOWS\system32\_svchost.exe []
S3 asbp2poa;asbp2poa;C:\DOCUME~1\Owner\LOCALS~1\Temp\asbp2poa.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1a3ce22-eea6-11db-b958-000fea46994d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 00:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 21:57:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll
-> C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Valve\Steam\Steam.exe
.
**************************************************************************
.
Completion time: 2008-02-02 22:03:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 05:03:41
ComboFix2.txt 2007-09-28 19:47:04
ComboFix3.txt 2007-09-21 00:51:45
ComboFix4.txt 2007-04-28 03:21:33

Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:45 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200356463979
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ChkKernel - {36842551-01f8-45e6-8c36-cf8084158294} - C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll
O21 - SSODL: AlrtDrv - {815ae73e-d22f-49d5-b087-dedc9e278c1c} - C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll
O21 - SSODL: zip - {6452e875-9c93-4b74-850c-e87ccabfdf7b} - C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Microsoft P2P2 Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9289 bytes
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#6 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 03 February 2008 - 11:11 AM

I did scan with McFee Stinger, Spybot, Adaware (with their latest public update) and AVG, AVG found a trojan that itt moved to the vault and six exploit viruses that were in Sun files, it said it healed 3, but that left four the same. I did a McFee scan yesterday and it made a file called stinger opt, but i was not sure if that was a log or not. I still have some kind of download that is trying to open a connectoin and it gives a popup saying to download some kind of anit virum scanner protection. I have not allowed the connection yet but i am staying offf line mostly and it keeps trying to connect. The scans have not rem0ved it yet.

when i go on lline some weird site tries to take over my browser, it is a redirect called abcsearch and takes me to a site calle findstuff

And a program caled s2fnew tries to run too.

the viruses that were found yesterday by AVG were

smss.exe Trojan Horse Geneeric 9.AWAD
smss(1).exe Trojan Horse Generic 9.AWAD
3e36ace5.46d 1b426 Java/Byte Verify
7713e8e7-6df3f69c Java/Byte Verify

there were five other Java files listed as the same type of Java exploit viruses but for some reason AVG did not heal or remove them, which worries me a bit.,

I tried to physically remove some simlilar files from the Java file area about a month ago when i was having similar trouble ane ended up with some major problems, memory address not being read errors that eventually made my system unbootable, after trying to run SDFix and i had to have my hardrive removed and a tech managed to reboot it.

I just ran AVG again and found two more trojans, in the ie folder and three others in the program directory just in the open directory, i had to run Winsock to restore the tcp again and when i restarted there was a installer hiding in the windows system file. just to keep you posted, I am scanning with AGP again. :thumbsup:

these latest ere:

C:Windows/system32/drivers/etc.hosts change
C:/ie_updater.exe
C:/Document and SEttings/Owner/ie_updater3r.exe
C:/Program Files/tmp39346484.exe
C:/Program Files/tmp29249171.exe

and just now, C:\WINDOWS\Installer\815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll

UPDATE: 11:10 PM Sunday
With this continual scanning and removing things right away that i find i may be catching up with the worst of the swarm, there were two downloaders operatong simulatiouly it looked like, anway, i will keep scanning until i hear from you. c

I think there may still be some hiding out in the Java SUN folder.

Here is a new Hijack this log from Sunday night after several more scans and a number of removals:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:12 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200356463979
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ChkKernel - {36842551-01f8-45e6-8c36-cf8084158294} - C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll
O21 - SSODL: AlrtDrv - {815ae73e-d22f-49d5-b087-dedc9e278c1c} - C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll (file missing)
O21 - SSODL: zip - {6452e875-9c93-4b74-850c-e87ccabfdf7b} - C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Microsoft P2P2 Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9558 bytes

Another full AVG scan found:

C:WINDOWS\system32\drivers\etc\hosts changed (I keep seeing this, dont know what it means?)

C:\QooBox\Quarantine\C\WINDOWS\system32\_avchost.exe.vir

C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll

one final question, one of the trojans was called smss.exe, but i also have a smss program running, usually, is this a legitimate program or another virus?

spoolsv.exe is another progarm that looks like one of the viruses i found, both spoolsv and smss are present in my program manager all the time, or if i turn one off, like spoolsv, it comes back on.

Edited by CrisGer, 04 February 2008 - 02:34 AM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 04 February 2008 - 05:54 PM

Smss.exe in C:\Windows\System32\ is legit...as is spoolsv.exe.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\ie_updater.exe
2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\Documents and Settings\Owner\ie_updates3r.exe
2008-01-13 08:39 . 2008-01-13 08:39 4,928 --a------ C:\WINDOWS\system32\lv0VmL.syz
2008-01-12 21:00 . 2008-01-12 21:00 4,928 --a------ C:\WINDOWS\system32\XDqb8Y.syz
2008-01-12 15:54 . 2008-01-12 15:54 4,928 --a------ C:\WINDOWS\system32\6qslYe.syz
2008-01-12 11:17 . 2008-01-12 11:17 4,928 --a------ C:\WINDOWS\system32\pAUMUd.syz
2008-01-12 07:11 . 2008-01-12 07:11 4,928 --a------ C:\WINDOWS\system32\hGQouz.syz
2008-01-12 06:00 . 2008-01-12 06:00 4,928 --a------ C:\WINDOWS\system32\sSBe9M.syz
2008-01-11 08:07 . 2008-01-11 08:07 4,928 --a------ C:\WINDOWS\system32\YaL1hF.syz
2008-01-10 12:50 . 2008-01-10 12:50 4,928 --a------ C:\WINDOWS\system32\PXQx4r.syz
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\1A.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\19.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\18.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\17.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\16.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\15.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\14.tmp
2008-01-10 11:17 . 2008-01-10 11:17 0 --a------ C:\13.tmp
2008-01-10 11:15 . 2008-01-10 11:15 311 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-10 11:15 . 2008-01-10 11:15 12 --a------ C:\WINDOWS\system32\svchost.t__
2008-01-10 11:15 . 2008-01-10 11:15 8 --a------ C:\WINDOWS\system32\404206270
2008-01-10 11:15 . 2008-01-10 11:15 24,832 --a------ C:\WINDOWS\system32\drivers\Ubh05.sys
2008-01-09 15:44 . 2001-08-27 08:45 503,808 -ra------ C:\WINDOWS\system32\N67WUD.DLL
2008-01-09 15:44 . 2001-05-25 04:38 393,264 -ra------ C:\WINDOWS\system32\N067u.dat
2008-01-09 15:44 . 2002-04-12 20:17 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-01-09 15:44 . 2001-08-27 08:44 118,784 -ra------ C:\WINDOWS\system32\N67WIMG.DLL
2005-11-28 23:35 7,486,947 ----a-w C:\Documents and Settings\Owner\Prodigal.exe
2005-11-28 23:35 49,177 ----a-w C:\Documents and Settings\Owner\winsetup.exe
C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll
C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll
C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\asbp2poa.sys

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6B30A5C0-F58B-4E0A-9E03-ED83331CB2B6}"=-
"{ED0ACB58-556F-21DA-DDFE-6D20F3F61FBB}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ChkKernel"=-
"AlrtDrv"=-
"zip"=-

Collect::[3]
C:\WINDOWS\system32\winSpy32.dll
C:\WINDOWS\system32\kb1sskp.dll

Driver::
Microsoft P2P2 Service
asbp2poa


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#8 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 04 February 2008 - 06:43 PM

ComboFix Log Feb 5 Monday PM

ComboFix 08-02.03.1 - Owner 2008-02-04 16:21:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.684 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
2005-11-28 23:35 49,177 ----a-w C:\Documents and Settings\Owner\winsetup.exe
2005-11-28 23:35 7,486,947 ----a-w C:\Documents and Settings\Owner\Prodigal.exe
2008-01-09 15:44 . 2001-05-25 04:38 393,264 -ra------ C:\WINDOWS\system32\N067u.dat
2008-01-09 15:44 . 2001-08-27 08:44 118,784 -ra------ C:\WINDOWS\system32\N67WIMG.DLL
2008-01-09 15:44 . 2001-08-27 08:45 503,808 -ra------ C:\WINDOWS\system32\N67WUD.DLL
2008-01-09 15:44 . 2002-04-12 20:17 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-01-10 11:15 . 2008-01-10 11:15 12 --a------ C:\WINDOWS\system32\svchost.t__
2008-01-10 11:15 . 2008-01-10 11:15 24,832 --a------ C:\WINDOWS\system32\drivers\Ubh05.sys
2008-01-10 11:15 . 2008-01-10 11:15 311 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-10 11:15 . 2008-01-10 11:15 8 --a------ C:\WINDOWS\system32\404206270
2008-01-10 11:17 . 2008-01-10 11:17 0 --a------ C:\13.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\14.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\15.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\16.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\17.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\18.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\19.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\1A.tmp
2008-01-10 12:50 . 2008-01-10 12:50 4,928 --a------ C:\WINDOWS\system32\PXQx4r.syz
2008-01-11 08:07 . 2008-01-11 08:07 4,928 --a------ C:\WINDOWS\system32\YaL1hF.syz
2008-01-12 06:00 . 2008-01-12 06:00 4,928 --a------ C:\WINDOWS\system32\sSBe9M.syz
2008-01-12 07:11 . 2008-01-12 07:11 4,928 --a------ C:\WINDOWS\system32\hGQouz.syz
2008-01-12 11:17 . 2008-01-12 11:17 4,928 --a------ C:\WINDOWS\system32\pAUMUd.syz
2008-01-12 15:54 . 2008-01-12 15:54 4,928 --a------ C:\WINDOWS\system32\6qslYe.syz
2008-01-12 21:00 . 2008-01-12 21:00 4,928 --a------ C:\WINDOWS\system32\XDqb8Y.syz
2008-01-13 08:39 . 2008-01-13 08:39 4,928 --a------ C:\WINDOWS\system32\lv0VmL.syz
2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\Documents and Settings\Owner\ie_updates3r.exe
2008-02-02 16:15 . 2008-02-02 16:15 6,144 --a------ C:\ie_updater.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\asbp2poa.sys
C:\WINDOWS\Installer\{36842551-01f8-45e6-8c36-cf8084158294}\ChkKernel.dll
C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll
C:\WINDOWS\Installer\{815ae73e-d22f-49d5-b087-dedc9e278c1c}\AlrtDrv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\{6452e875-9c93-4b74-850c-e87ccabfdf7b}\zip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASBP2POA
-------\LEGACY_MICROSOFT_P2P2_SERVICE
-------\asbp2poa
-------\Microsoft P2P2 Service


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-01 20:07 . 2008-02-04 14:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 20:07 . 2008-02-01 20:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Program Files\Download Manager
2008-01-14 17:21 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-14 17:21 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 16:57 . 2008-01-14 16:58 <DIR> d--h----- C:\ErdUndoCache
2008-01-14 16:57 . 2003-01-29 02:45 69,632 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-01-14 16:57 . 2004-08-03 23:00 29,056 --a--c--- C:\WINDOWS\system32\dllcache\ip6fw.sys
2008-01-14 08:51 . 2003-07-31 02:01 69,120 --a------ C:\WINDOWS\system32\SilSupp.cpl
2008-01-14 08:51 . 2003-09-04 05:45 55,144 --a------ C:\WINDOWS\system32\drivers\si3112.sys
2008-01-14 08:51 . 2003-06-09 10:56 10,112 --a------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2008-01-13 08:52 . 2008-01-13 08:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 08:49 . 2008-01-13 09:02 <DIR> d-------- C:\SDFix
2008-01-13 08:39 . 2008-01-13 08:39 4,928 --a------ C:\WINDOWS\system32\lv0VmL.syz
2008-01-12 21:00 . 2008-01-12 21:00 4,928 --a------ C:\WINDOWS\system32\XDqb8Y.syz
2008-01-12 15:54 . 2008-01-12 15:54 4,928 --a------ C:\WINDOWS\system32\6qslYe.syz
2008-01-12 11:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 11:31 . 2008-01-12 11:32 <DIR> d-------- C:\Program Files\Java
2008-01-12 11:30 . 2008-01-12 11:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-12 11:17 . 2008-01-12 11:17 4,928 --a------ C:\WINDOWS\system32\pAUMUd.syz
2008-01-12 07:11 . 2008-01-12 07:11 4,928 --a------ C:\WINDOWS\system32\hGQouz.syz
2008-01-12 06:00 . 2008-01-12 06:00 4,928 --a------ C:\WINDOWS\system32\sSBe9M.syz
2008-01-11 08:07 . 2008-01-11 08:07 4,928 --a------ C:\WINDOWS\system32\YaL1hF.syz
2008-01-10 12:50 . 2008-01-10 12:50 4,928 --a------ C:\WINDOWS\system32\PXQx4r.syz
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\1A.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\19.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\18.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\17.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\16.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\15.tmp
2008-01-10 11:18 . 2008-01-10 11:18 0 --a------ C:\14.tmp
2008-01-10 11:17 . 2008-01-10 11:17 0 --a------ C:\13.tmp
2008-01-10 11:15 . 2008-01-10 11:15 24,832 --a------ C:\WINDOWS\system32\drivers\Ubh05.sys
2008-01-10 11:15 . 2008-01-10 11:15 311 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-10 11:15 . 2008-01-10 11:15 12 --a------ C:\WINDOWS\system32\svchost.t__
2008-01-10 11:15 . 2008-01-10 11:15 8 --a------ C:\WINDOWS\system32\404206270
2008-01-09 15:44 . 2001-08-27 08:45 503,808 -ra------ C:\WINDOWS\system32\N67WUD.DLL
2008-01-09 15:44 . 2001-05-25 04:38 393,264 -ra------ C:\WINDOWS\system32\N067u.dat
2008-01-09 15:44 . 2002-04-12 20:17 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-01-09 15:44 . 2001-08-27 08:44 118,784 -ra------ C:\WINDOWS\system32\N67WIMG.DLL
2008-01-09 15:38 . 2000-04-12 20:02 119,808 -ra------ C:\WINDOWS\system32\ITLIB32.DLL
2008-01-09 15:38 . 2000-04-12 20:02 45,056 -ra------ C:\WINDOWS\system32\CANOIT32.EXE
2008-01-08 19:30 . 2008-01-08 19:33 <DIR> d-------- C:\DeusEx
2008-01-05 13:52 . 2008-01-05 13:52 0 --a------ C:\WINDOWS\Twunk002.MTX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 23:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-02-04 20:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-04 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-01 05:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:03 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-01-18 23:45 --------- d-----w C:\Program Files\Funcom
2008-01-14 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 01:34 --------- d-----w C:\Program Files\EA GAMES
2008-01-06 22:08 --------- d-----w C:\Program Files\Common Files\DAZ
2008-01-02 22:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 22:03 --------- d-----w C:\Program Files\Doom 3
2008-01-02 22:02 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2008-01-02 22:00 --------- d-----w C:\Program Files\Audio Converter
2008-01-02 16:10 --------- d-----w C:\Program Files\QuickPar
2008-01-02 01:16 --------- d-----w C:\Program Files\LucasArts
2008-01-01 18:39 --------- d-----w C:\Program Files\Q3E Minimizer v1.51
2007-12-31 20:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-12-31 16:13 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 03:00 --------- d-----w C:\Program Files\DivX
2007-12-29 02:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-27 17:37 --------- d-----w C:\Program Files\Eidos Interactive
2007-12-27 06:25 --------- d-----w C:\Program Files\The Legend of Lotus Spring
2007-12-24 20:29 --------- d-----w C:\Program Files\GameSpy
2007-12-24 20:26 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-12-24 20:26 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 20:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-24 20:26 22,328 ----a-w C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-12-24 20:26 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-24 20:11 --------- d-----w C:\Program Files\Electronic Arts
2007-12-24 17:25 --------- d-----w C:\Program Files\The Adventure Company
2007-12-24 08:56 --------- d-----w C:\Program Files\HyCam2
2007-12-23 18:37 --------- d-----w C:\Program Files\ScummVM
2007-12-23 17:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ScummVM
2007-12-21 18:43 --------- d-----w C:\Program Files\MimarSinan CompreXX mk4
2007-12-21 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\{0A3EDBAE-2B00-4FD1-B634-A472E0AB8AE7}
2007-12-21 18:17 --------- d-----w C:\Program Files\Smith Micro
2007-12-19 02:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-12-14 06:57 --------- d-----w C:\Program Files\QuickTime
2007-12-14 02:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-13 23:55 216,064 ----a-w C:\WINDOWS\iun3405.exe
2007-12-10 01:35 --------- d-----w C:\Program Files\DOSBox-0.65
2007-12-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-06 05:29 --------- d-----w C:\Program Files\The Babylon Project
2007-12-05 22:24 --------- d-----w C:\Program Files\Wing Commander Saga Prologue
2007-12-05 22:17 --------- d-----w C:\Program Files\OpenAL
2007-12-05 09:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 08:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 08:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 08:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 08:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 08:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 08:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 08:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 08:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 08:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 08:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 08:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 08:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 08:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 08:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 08:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 08:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 08:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 08:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 08:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 08:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 08:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 08:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 08:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 08:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 08:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 08:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 08:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 08:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2005-11-28 23:35 7,486,947 ----a-w C:\Documents and Settings\Owner\Prodigal.exe
2005-11-28 23:35 49,177 ----a-w C:\Documents and Settings\Owner\winsetup.exe
2005-06-05 15:48 45,056 ----a-w C:\Documents and Settings\Owner\AGS_Fire.dll
2002-07-04 18:28 223,744 ----a-w C:\Documents and Settings\Owner\alleg40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-17 10:57 1581056]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 14:18 23233576]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:24 579072]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 11:15 83968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"CTHelper"="CTHELPER.EXE" [2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 15:20 78848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 08:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NWCWorkstation"=2 (0x2)

R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2003-09-04 05:45]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-06-09 10:56]
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 15:19]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-07-20 06:37]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 15:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 15:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 15:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 15:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 15:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 15:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 15:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 15:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 15:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 15:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 15:20]
S0 si3112r;si3112r;C:\WINDOWS\system32\drivers\si3112r.sys [2003-02-24 04:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1a3ce22-eea6-11db-b958-000fea46994d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 00:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 16:30:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-02-04 16:36:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 23:36:22
ComboFix2.txt 2008-02-03 05:03:45
ComboFix3.txt 2007-09-28 19:47:04
ComboFix4.txt 2007-09-21 00:51:45
ComboFix5.txt 2007-04-28 03:21:33

Hijack This Log Feb 5 Monday 08 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:18 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200356463979
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8702 bytes


This AM when i began to scan, (found nothing with AVG, Spybot or AdAware) i had a hijack attempt by a program that wanted to direct me via 3D newsfeed ...and a bunch of code, i looked but could not find it in the Windows, ie or program files directories.

There may be some installers lurking in the SUN Java files, i could delete the Java intall and reload?

anyhoo, here are the two logs you asked for, Combofix ran fine as did Hijack this, thanks so much for the help Grinler

that hijacker redirect is not operating now. :blink:
:thumbsup:
chris

Edited by CrisGer, 04 February 2008 - 07:15 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 05 February 2008 - 11:03 AM

Dont worry about the Java stuff. Will clean that out afte.r

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Documents and Settings\Owner\winsetup.exe
C:\Documents and Settings\Owner\Prodigal.exe
C:\WINDOWS\system32\N067u.dat
C:\WINDOWS\system32\N67WIMG.DLL
C:\WINDOWS\system32\N67WUD.DLL
C:\WINDOWS\system32\N067UFW.DLL
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\drivers\Ubh05.sys
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\404206270
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\WINDOWS\system32\PXQx4r.syz
C:\WINDOWS\system32\YaL1hF.syz
C:\WINDOWS\system32\sSBe9M.syz
C:\WINDOWS\system32\hGQouz.syz
C:\WINDOWS\system32\pAUMUd.syz
C:\WINDOWS\system32\6qslYe.syz
C:\WINDOWS\system32\XDqb8Y.syz
C:\WINDOWS\system32\lv0VmL.syz
C:\Documents and Settings\Owner\ie_updates3r.exe
C:\ie_updater.exe


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#10 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 05 February 2008 - 02:49 PM

ComboFix 08-02.03.1 - Owner 2008-02-05 12:38:29.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.515 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\Documents and Settings\Owner\ie_updates3r.exe
C:\Documents and Settings\Owner\Prodigal.exe
C:\Documents and Settings\Owner\winsetup.exe
C:\ie_updater.exe
C:\WINDOWS\system32\404206270
C:\WINDOWS\system32\6qslYe.syz
C:\WINDOWS\system32\drivers\Ubh05.sys
C:\WINDOWS\system32\hGQouz.syz
C:\WINDOWS\system32\lv0VmL.syz
C:\WINDOWS\system32\N067u.dat
C:\WINDOWS\system32\N067UFW.DLL
C:\WINDOWS\system32\N67WIMG.DLL
C:\WINDOWS\system32\N67WUD.DLL
C:\WINDOWS\system32\pAUMUd.syz
C:\WINDOWS\system32\PXQx4r.syz
C:\WINDOWS\system32\sSBe9M.syz
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\XDqb8Y.syz
C:\WINDOWS\system32\YaL1hF.syz
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\Documents and Settings\Owner\Prodigal.exe
C:\Documents and Settings\Owner\winsetup.exe
C:\WINDOWS\system32\404206270
C:\WINDOWS\system32\6qslYe.syz
C:\WINDOWS\system32\drivers\Ubh05.sys
C:\WINDOWS\system32\hGQouz.syz
C:\WINDOWS\system32\lv0VmL.syz
C:\WINDOWS\system32\N067u.dat
C:\WINDOWS\system32\N067UFW.DLL
C:\WINDOWS\system32\N67WIMG.DLL
C:\WINDOWS\system32\N67WUD.DLL
C:\WINDOWS\system32\pAUMUd.syz
C:\WINDOWS\system32\PXQx4r.syz
C:\WINDOWS\system32\sSBe9M.syz
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\XDqb8Y.syz
C:\WINDOWS\system32\YaL1hF.syz

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-01 20:07 . 2008-02-04 14:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 20:07 . 2008-02-01 20:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Program Files\Download Manager
2008-01-14 17:21 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-14 17:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-14 17:21 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 16:57 . 2008-01-14 16:58 <DIR> d--h----- C:\ErdUndoCache
2008-01-14 16:57 . 2003-01-29 02:45 69,632 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-01-14 16:57 . 2004-08-03 23:00 29,056 --a--c--- C:\WINDOWS\system32\dllcache\ip6fw.sys
2008-01-14 08:51 . 2003-07-31 02:01 69,120 --a------ C:\WINDOWS\system32\SilSupp.cpl
2008-01-14 08:51 . 2003-09-04 05:45 55,144 --a------ C:\WINDOWS\system32\drivers\si3112.sys
2008-01-14 08:51 . 2003-06-09 10:56 10,112 --a------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2008-01-13 08:52 . 2008-01-13 08:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 08:49 . 2008-01-13 09:02 <DIR> d-------- C:\SDFix
2008-01-12 11:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 11:31 . 2008-01-12 11:32 <DIR> d-------- C:\Program Files\Java
2008-01-12 11:30 . 2008-01-12 11:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-09 15:38 . 2000-04-12 20:02 119,808 -ra------ C:\WINDOWS\system32\ITLIB32.DLL
2008-01-09 15:38 . 2000-04-12 20:02 45,056 -ra------ C:\WINDOWS\system32\CANOIT32.EXE
2008-01-08 19:30 . 2008-01-08 19:33 <DIR> d-------- C:\DeusEx
2008-01-05 13:52 . 2008-01-05 13:52 0 --a------ C:\WINDOWS\Twunk002.MTX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 23:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-02-04 20:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-04 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-01 05:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:03 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-01-18 23:45 --------- d-----w C:\Program Files\Funcom
2008-01-14 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 01:34 --------- d-----w C:\Program Files\EA GAMES
2008-01-06 22:08 --------- d-----w C:\Program Files\Common Files\DAZ
2008-01-02 22:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 22:03 --------- d-----w C:\Program Files\Doom 3
2008-01-02 22:02 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2008-01-02 22:00 --------- d-----w C:\Program Files\Audio Converter
2008-01-02 16:10 --------- d-----w C:\Program Files\QuickPar
2008-01-02 01:16 --------- d-----w C:\Program Files\LucasArts
2008-01-01 18:39 --------- d-----w C:\Program Files\Q3E Minimizer v1.51
2007-12-31 20:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-12-31 16:13 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 03:00 --------- d-----w C:\Program Files\DivX
2007-12-29 02:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-27 17:37 --------- d-----w C:\Program Files\Eidos Interactive
2007-12-27 06:25 --------- d-----w C:\Program Files\The Legend of Lotus Spring
2007-12-24 20:29 --------- d-----w C:\Program Files\GameSpy
2007-12-24 20:26 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-12-24 20:26 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 20:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-24 20:26 22,328 ----a-w C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-12-24 20:26 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-24 20:11 --------- d-----w C:\Program Files\Electronic Arts
2007-12-24 17:25 --------- d-----w C:\Program Files\The Adventure Company
2007-12-24 08:56 --------- d-----w C:\Program Files\HyCam2
2007-12-23 18:37 --------- d-----w C:\Program Files\ScummVM
2007-12-23 17:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ScummVM
2007-12-21 18:43 --------- d-----w C:\Program Files\MimarSinan CompreXX mk4
2007-12-21 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\{0A3EDBAE-2B00-4FD1-B634-A472E0AB8AE7}
2007-12-21 18:17 --------- d-----w C:\Program Files\Smith Micro
2007-12-19 02:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-12-14 06:57 --------- d-----w C:\Program Files\QuickTime
2007-12-14 02:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-13 23:55 216,064 ----a-w C:\WINDOWS\iun3405.exe
2007-12-10 01:35 --------- d-----w C:\Program Files\DOSBox-0.65
2007-12-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-06 05:29 --------- d-----w C:\Program Files\The Babylon Project
2007-12-05 22:24 --------- d-----w C:\Program Files\Wing Commander Saga Prologue
2007-12-05 22:17 --------- d-----w C:\Program Files\OpenAL
2007-12-05 09:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 08:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 08:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 08:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 08:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 08:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 08:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 08:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 08:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 08:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 08:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 08:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 08:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 08:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 08:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 08:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 08:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 08:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 08:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 08:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 08:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 08:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 08:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 08:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 08:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 08:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 08:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 08:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 08:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 08:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 08:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2005-06-05 15:48 45,056 ----a-w C:\Documents and Settings\Owner\AGS_Fire.dll
2002-07-04 18:28 223,744 ----a-w C:\Documents and Settings\Owner\alleg40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-17 10:57 1581056]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 14:18 23233576]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:24 579072]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 11:15 83968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"CTHelper"="CTHELPER.EXE" [2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 15:20 78848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 08:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NWCWorkstation"=2 (0x2)

R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2003-09-04 05:45]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-06-09 10:56]
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 15:19]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-07-20 06:37]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 15:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 15:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 15:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 15:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 15:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 15:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 15:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 15:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 15:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 15:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 15:20]
S0 si3112r;si3112r;C:\WINDOWS\system32\drivers\si3112r.sys [2003-02-24 04:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1a3ce22-eea6-11db-b958-000fea46994d}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 00:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 12:42:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:46 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200356463979
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8737 bytes


.
Completion time: 2008-02-05 12:46:14
ComboFix-quarantined-files.txt 2008-02-05 19:46:12
ComboFix2.txt 2008-02-04 23:36:25
ComboFix3.txt 2008-02-03 05:03:45
ComboFix4.txt 2007-09-28 19:47:04
ComboFix5.txt 2007-09-21 00:51:45
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 05 February 2008 - 03:08 PM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]

When done, let me know how the comp is acting. Should be clean at this point/.

#12 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 05 February 2008 - 03:51 PM

Grinler, sorry,
i keep getting virus alerts pop up as i am working, one yesterday and two today so far, and these are the addreses:

C:\System Volume Information\_restore{54BFCF63-7301-49B8-A468-504383C4AF2D}\RP6\A0002818.exe

C:\System Volume Information\_restore{54BFCF63-7301-49B8-A468-504383C4AF2D}\RP6\A0002819.exe

C:\System Volume Information\_restore{54BFCF63-7301-49B8-A468-504383C4AF2D}\RP6\A0002820.exe

is something breeding and reproducing in the restore point?
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 05 February 2008 - 03:55 PM

Nah...cleaning restore points is the last step in a cleanup process.

How's the machine running other than those?

#14 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:00 PM

Posted 05 February 2008 - 05:11 PM

Looks very happy , running sweet and smooth, no nasties, spybot or adware found. :thumbsup:
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:00 PM

Posted 05 February 2008 - 05:33 PM

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users