Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Daily Trojan - Hjt Log


  • This topic is locked This topic is locked
27 replies to this topic

#16 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:49 AM

Posted 16 February 2008 - 09:11 AM

Hi!

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.


Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {DA59F88F-5A6E-4DE5-9B10-BF48520D7374} - C:\WINDOWS\system32\CDDBControlSonyr.dll


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #2
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\CDDBControlSonyr.dll
    C:\Documents and Settings\Here\Incomplete\T-2559308-Rare Recording (dick).wma
    C:\Documents and Settings\Here\Incomplete\T-3200824-07 Track 7 (dick).wma
    C:\Documents and Settings\Here\Incomplete\T-4183160-03 Track 3 (dick).wma
    C:\Documents and Settings\All Users\Application Data\THISDASHFUNKCOMP
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C90952EC-1AA2-4546-92B0-FEF8BD
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step #3
Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.
Netpumper
BitRoll
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Zone Media


Please download NoLop and save it to your desktop.
alternate download link 1
alternate download link 2
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
  • Now click the button labeled "Search and Destroy"
    <>
  • When scanning is finished you will be prompted to reboot only if infected. Click OK.
  • Now click the "REBOOT" button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log along with a fresh HijackThis log in your next reply.
--If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun NoLop..

Step #4
Please post a fresh HijackThis log and Nolop log back here :thumbsup:

Edited by Baabiouz, 17 February 2008 - 08:57 AM.

Posted Image

BC AdBot (Login to Remove)

 


#17 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 17 February 2008 - 06:30 AM

OT Scan

DllUnregisterServer procedure not found in C:\WINDOWS\system32\CDDBControlSonyr.dll
C:\WINDOWS\system32\CDDBControlSonyr.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\CDDBControlSonyr.dll scheduled to be moved on reboot.
C:\Documents and Settings\Here\Incomplete\T-2559308-Rare Recording (dick).wma moved successfully.
C:\Documents and Settings\Here\Incomplete\T-3200824-07 Track 7 (dick).wma moved successfully.
C:\Documents and Settings\Here\Incomplete\T-4183160-03 Track 3 (dick).wma moved successfully.
C:\Documents and Settings\All Users\Application Data\THISDASHFUNKCOMP moved successfully.
C:\Program Files\Microsoft AntiSpyware\Quarantine\C90952EC-1AA2-4546-92B0-FEF8BD moved successfully.

OTMoveIt2 v1.0.17 log created on 02172008_112121

#18 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 17 February 2008 - 06:59 AM

NoLop Scan

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Here\Desktop
[17/02/2008]
[11:35:57]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Apple Computer
C:\Documents and Settings\Administrator\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator.ivanski-c62e6da\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Autodesk
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Driving Test Success
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Hazard Perception Training
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Motivesysids
C:\Documents and Settings\All Users\Application Data\Msn Toolbar Suite
C:\Documents and Settings\All Users\Application Data\My Pictures
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sony Corporation
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\All Users.windows\Application Data\Apple
C:\Documents and Settings\All Users.windows\Application Data\Apple Computer
C:\Documents and Settings\All Users.windows\Application Data\Avg7
C:\Documents and Settings\All Users.windows\Application Data\Babylon -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Channel4
C:\Documents and Settings\All Users.windows\Application Data\Dfx
C:\Documents and Settings\All Users.windows\Application Data\Google
C:\Documents and Settings\All Users.windows\Application Data\Grisoft
C:\Documents and Settings\All Users.windows\Application Data\Installshield
C:\Documents and Settings\All Users.windows\Application Data\Iolo -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users.windows\Application Data\Kontiki
C:\Documents and Settings\All Users.windows\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Nvidia
C:\Documents and Settings\All Users.windows\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Protexis
C:\Documents and Settings\All Users.windows\Application Data\Skype
C:\Documents and Settings\All Users.windows\Application Data\Sony Corporation
C:\Documents and Settings\All Users.windows\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users.windows\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Trymedia
C:\Documents and Settings\All Users.windows\Application Data\Ulead Systems
C:\Documents and Settings\All Users.windows\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users.windows\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users.windows\Application Data\Winzip -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows\Application Data\Microsoft
C:\Documents and Settings\Here\Application Data\.abc
C:\Documents and Settings\Here\Application Data\Abexo
C:\Documents and Settings\Here\Application Data\Adobe
C:\Documents and Settings\Here\Application Data\Ahead
C:\Documents and Settings\Here\Application Data\Apple Computer
C:\Documents and Settings\Here\Application Data\Avg7
C:\Documents and Settings\Here\Application Data\Babylon
C:\Documents and Settings\Here\Application Data\Bittorrent
C:\Documents and Settings\Here\Application Data\Bsplayer
C:\Documents and Settings\Here\Application Data\Bsplayer Pro
C:\Documents and Settings\Here\Application Data\Converttemp -- EMPTY Directory
C:\Documents and Settings\Here\Application Data\Divx
C:\Documents and Settings\Here\Application Data\Dvdcss
C:\Documents and Settings\Here\Application Data\Fma -- EMPTY Directory
C:\Documents and Settings\Here\Application Data\Google
C:\Documents and Settings\Here\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Here\Application Data\Ideazon
C:\Documents and Settings\Here\Application Data\Identities
C:\Documents and Settings\Here\Application Data\Imsidesign
C:\Documents and Settings\Here\Application Data\Intertrust
C:\Documents and Settings\Here\Application Data\Iolo -- EMPTY Directory
C:\Documents and Settings\Here\Application Data\Jasc Software Inc
C:\Documents and Settings\Here\Application Data\Lavasoft
C:\Documents and Settings\Here\Application Data\Macromedia
C:\Documents and Settings\Here\Application Data\Microsoft
C:\Documents and Settings\Here\Application Data\Mozilla
C:\Documents and Settings\Here\Application Data\Msninstaller
C:\Documents and Settings\Here\Application Data\Nokia
C:\Documents and Settings\Here\Application Data\Quitcounter
C:\Documents and Settings\Here\Application Data\Rapidget
C:\Documents and Settings\Here\Application Data\Real
C:\Documents and Settings\Here\Application Data\Samsung
C:\Documents and Settings\Here\Application Data\Sharp World Clock
C:\Documents and Settings\Here\Application Data\Skypepm
C:\Documents and Settings\Here\Application Data\Sony Corporation
C:\Documents and Settings\Here\Application Data\Sony Ericsson
C:\Documents and Settings\Here\Application Data\Sports Interactive
C:\Documents and Settings\Here\Application Data\Sun
C:\Documents and Settings\Here\Application Data\Teamspeak2
C:\Documents and Settings\Here\Application Data\Teleca
C:\Documents and Settings\Here\Application Data\Temporary
C:\Documents and Settings\Here\Application Data\Transrender -- EMPTY Directory
C:\Documents and Settings\Here\Application Data\Usenext
C:\Documents and Settings\Here\Application Data\Vlc
C:\Documents and Settings\Here\Application Data\Webroot
C:\Documents and Settings\Here\Application Data\Xfire
C:\Documents and Settings\Here\Application Data\Yahoo!
C:\Documents and Settings\Here\Application Data\Yahoo! Messenger
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Xfire -- EMPTY Directory
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Xfire -- EMPTY Directory
C:\Documents and Settings\Nick\Application Data\Adobe
C:\Documents and Settings\Nick\Application Data\Adobeum
C:\Documents and Settings\Nick\Application Data\Aim
C:\Documents and Settings\Nick\Application Data\Apple Computer
C:\Documents and Settings\Nick\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Nick\Application Data\Bittorrent
C:\Documents and Settings\Nick\Application Data\Google
C:\Documents and Settings\Nick\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Nick\Application Data\Identities
C:\Documents and Settings\Nick\Application Data\Interact Commerce
C:\Documents and Settings\Nick\Application Data\Jasc Software Inc
C:\Documents and Settings\Nick\Application Data\Macromedia
C:\Documents and Settings\Nick\Application Data\Microsoft
C:\Documents and Settings\Nick\Application Data\Msninstaller
C:\Documents and Settings\Nick\Application Data\Real
C:\Documents and Settings\Nick\Application Data\Samsung
C:\Documents and Settings\Nick\Application Data\Sony Corporation
C:\Documents and Settings\Nick\Application Data\Sports Interactive
C:\Documents and Settings\Nick\Application Data\Sun
C:\Documents and Settings\Nick\Application Data\Systweak
C:\Documents and Settings\Nick\Application Data\?ymbols






HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:28, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiconf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Documents and Settings\Here\Desktop\Unused Desktop Shortcuts\Here.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DA59F88F-5A6E-4DE5-9B10-BF48520D7374} - C:\WINDOWS\system32\CDDBControlSonyr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msiconf.exe] msiconf.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862862656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862853390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer = 212.139.132.44 212.139.132.43
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6077 bytes







There were no finds by the olop scanner or errors. The other tasks given at the start of your instructions have been done without problem.

Just a point when I was in C: Program Files / looking through the folder I got a window popup telling me of a potential browser hijack, it wasnt my AVG etc , definately spurious ! Lets hope theres nothing else lurking...


Thanks



Ivan

#19 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 17 February 2008 - 08:26 AM

Ive got that mewssage again.............Here it is



Trojan Adware.W32.ExpDwnldr spyware detected.Tis trojan allows
attackers to access your computer from remote locations,
stealing passwords,Internet banking and personal data.
This also prompts advertising popups.This process is a security
risk and should be removed from your system.

Type Trojan Horse

System Affected Windows98,200,NT4,XP

Security Risk (0-5) 4

Recomendations Click "Yes" to gat anti spyware options



Im not clicking yes ! It appears with the computer at idle connected to the net



Ivan

#20 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:49 AM

Posted 24 February 2008 - 12:04 PM

Hi!

Sorry for delay. :blink:

Step #1

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #2
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step #3
Please post a fresh HijackThis log, Combofix log and Smitfraudfix report back here :thumbsup:
Posted Image

#21 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 February 2008 - 02:15 AM

Here is the smitfraudfix scan............


SmitFraudFix v2.296

Scan done at 6:58:16.81, 27/02/2008
Run from C:\Documents and Settings\Here\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Here


C:\Documents and Settings\Here\Application Data


Start Menu


C:\DOCUME~1\Here\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 212.139.132.44
DNS Server Search Order: 212.139.132.43

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer=212.139.132.44 212.139.132.43
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer=212.139.132.44 212.139.132.43


Scanning for wininet.dll infection


End








And the combofix scan........



ComboFix 08-02-25.3 - Here 2008-02-27 7:00:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.229 [GMT 0:00]
Running from: C:\Documents and Settings\Here\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nick\Application Data\YMBOLS~1
C:\WINDOWS\system32\cddbcontrolsonyr.dll
C:\WINDOWS\system32\drivers\qxbuznbl.dat
C:\WINDOWS\system32\u2g.f
C:\WINDOWS\system32\winiconmon.ico
C:\WINDOWS\system32\winiconmon.ico.bak0

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_YBSCHUNQ
-------\ybschunq


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-27 06:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-27 06:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-27 06:57 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-27 06:57 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-27 06:57 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-27 06:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-27 06:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 11:58 . 2008-02-26 11:59 <DIR> d-------- C:\Program Files\BitLord
2008-02-24 17:43 . 2008-02-24 17:43 <DIR> d----c--- C:\SLSK
2008-02-24 17:28 . 2008-02-26 12:00 <DIR> d-------- C:\Program Files\Soulseek
2008-02-23 21:19 . 2008-02-23 21:19 268 --ah-c--- C:\sqmdata18.sqm
2008-02-23 21:19 . 2008-02-23 21:19 244 --ah-c--- C:\sqmnoopt18.sqm
2008-02-23 10:45 . 2008-02-27 07:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 10:45 . 2008-02-23 10:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 22:29 . 2008-02-22 22:29 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 22:29 . 2008-02-22 22:29 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-17 15:09 . 2008-02-17 15:09 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Grisoft
2008-02-17 15:09 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 11:35 . 2008-02-17 12:00 212 --a--c--- C:\delete.bat
2008-02-17 09:41 . 2008-02-17 09:41 <DIR> d----c--- C:\Documents and Settings\Here\Trillian
2008-02-12 15:47 . 2008-02-12 15:49 <DIR> d-------- C:\Program Files\TunerPro
2008-02-11 15:35 . 2008-02-11 15:35 <DIR> d-------- C:\Program Files\Sharp World Clock
2008-02-11 15:35 . 2008-02-11 15:38 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Sharp World Clock
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-09 10:45 . 2008-02-09 10:45 <DIR> d-------- C:\Program Files\MSECache
2008-02-08 11:03 . 2008-02-08 11:03 268 --ah-c--- C:\sqmdata17.sqm
2008-02-08 11:03 . 2008-02-08 11:03 244 --ah-c--- C:\sqmnoopt17.sqm
2008-02-06 09:30 . 2008-02-06 09:30 268 --ah-c--- C:\sqmdata16.sqm
2008-02-06 09:30 . 2008-02-06 09:30 244 --ah-c--- C:\sqmnoopt16.sqm
2008-02-04 10:02 . 2008-02-04 10:02 <DIR> d----c--- C:\_OTMoveIt
2008-02-03 14:08 . 2008-02-03 15:49 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\QuitCounter
2008-02-02 16:17 . 2008-02-02 16:17 <DIR> d----c--- C:\Deckard
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 15:56 . 2008-01-31 15:56 268 --ah-c--- C:\sqmdata15.sqm
2008-01-31 15:56 . 2008-01-31 15:56 244 --ah-c--- C:\sqmnoopt15.sqm
2008-01-31 14:21 . 2008-01-31 14:21 268 --ah-c--- C:\sqmdata14.sqm
2008-01-31 14:21 . 2008-01-31 14:21 244 --ah-c--- C:\sqmnoopt14.sqm
2008-01-31 11:25 . 2008-01-31 11:25 268 --ah-c--- C:\sqmdata13.sqm
2008-01-31 11:25 . 2008-01-31 11:25 244 --ah-c--- C:\sqmnoopt13.sqm
2008-01-31 09:17 . 2008-01-31 09:17 268 --ah-c--- C:\sqmdata12.sqm
2008-01-31 09:17 . 2008-01-31 09:17 244 --ah-c--- C:\sqmnoopt12.sqm
2008-01-31 02:02 . 2008-01-31 02:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 16:33 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-26 12:45 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-26 11:51 --------- d-----w C:\Program Files\LimeWire
2008-02-24 20:44 --------- dc----w C:\Documents and Settings\Here\Application Data\AVG7
2008-02-24 13:30 --------- d-----w C:\Program Files\iTunes
2008-02-24 13:29 --------- d-----w C:\Program Files\iPod
2008-02-24 13:27 --------- d-----w C:\Program Files\QuickTime
2008-02-22 19:44 --------- dc----w C:\Documents and Settings\Here\Application Data\Xfire
2008-02-22 19:44 --------- d-----w C:\Program Files\Trillian
2008-02-17 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-15 19:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 18:21 --------- d-s---w C:\Program Files\Xfire
2008-01-28 16:17 --------- d-----w C:\Program Files\RegScrubXP
2008-01-21 18:02 --------- d-----w C:\Program Files\Google
2008-01-20 21:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-20 21:19 --------- dc----w C:\Documents and Settings\Here\Application Data\Babylon
2008-01-20 21:19 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Babylon
2008-01-20 20:32 --------- dc--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-20 16:43 --------- d-----w C:\Program Files\Yahoo!
2008-01-20 15:21 --------- d-----w C:\Program Files\Easy GIF Animator
2008-01-20 10:44 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-01-20 10:42 --------- d-----w C:\Program Files\Samsung
2008-01-20 09:03 --------- dc----w C:\Documents and Settings\Here\Application Data\Yahoo!
2008-01-20 09:03 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-01-16 10:07 --------- d-----w C:\Program Files\Skype
2008-01-10 14:28 --------- dc----w C:\Documents and Settings\Here\Application Data\skypePM
2008-01-10 07:24 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-05 13:49 22,328 -c--a-w C:\Documents and Settings\Here\Application Data\PnkBstrK.sys
2008-01-05 13:38 --------- d-----w C:\Program Files\Activision
2008-01-05 13:31 --------- d-----w C:\Program Files\CCleaner
2008-01-05 10:40 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-01-04 22:29 --------- d-----w C:\Program Files\RegistryFix
2008-01-04 20:56 --------- d-----w C:\Program Files\Registry Cleaner
2008-01-04 20:20 --------- dc----w C:\Documents and Settings\Here\Application Data\Abexo
2008-01-04 20:20 --------- d-----w C:\Program Files\Abexo
2008-01-04 16:45 32 -c--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-01-04 16:42 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-01-04 16:42 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-04 10:41 --------- dc----w C:\Documents and Settings\Here\Application Data\iolo
2008-01-04 10:41 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-01-03 12:31 --------- d-----w C:\Program Files\Alcatel
2008-01-01 16:42 --------- dc----w C:\Documents and Settings\Here\Application Data\Ideazon
2006-09-27 12:23 337 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
2006-09-27 12:22 13,046 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
2006-09-27 12:22 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
2006-09-27 12:01 177,152 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
2006-09-21 13:05 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb153.dat
2006-09-18 12:18 49 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb41.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb8253.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
2006-09-18 10:31 9,216 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb8467.dat
2006-09-18 10:31 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb6334.dat
1997-05-13 17:26 3,206,344 -c--a-w C:\Documents and Settings\Nick\HOSPPAT.EXE
1994-05-31 21:00 265,396 -c--a-w C:\Documents and Settings\Nick\DOS4GW.EXE
2006-11-21 14:12 80 --sh--r C:\WINDOWS\system32\A8D6A4E201.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 12:27 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 23:53 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 10:09 4247552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 04:43 7630848]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 23:51 219136]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSI ToolBar.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSI ToolBar.lnk
backup=C:\WINDOWS\pss\EPSI ToolBar.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-12 04:43 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-08 16:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-01-30 21:39]
R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 21:30]
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2004-07-05 22:24]
S3 SaiHFF12;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiHFF12.sys [2004-07-26 19:54]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 17:06:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 07:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-27 7:12:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 07:12:44
.
2008-02-14 18:00:04 --- E O F ---





Thanks

#22 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 February 2008 - 02:17 AM

And finally the hjt log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:17:10, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Here\Desktop\Unused Desktop Shortcuts\Here.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862862656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862853390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer = 212.139.132.44 212.139.132.43
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6441 bytes

#23 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:49 AM

Posted 28 February 2008 - 01:01 AM

Hi!
Looks better :blink:

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
C:\Documents and Settings\Nick\Application Data\internaldb153.dat
C:\Documents and Settings\Nick\Application Data\internaldb41.dat
C:\Documents and Settings\Nick\Application Data\internaldb8253.dat
C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
C:\Documents and Settings\Nick\Application Data\internaldb8467.dat
C:\Documents and Settings\Nick\Application Data\internaldb6334.dat


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here.)
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Step #3
Please post Combofix log and a fresh HijackThis log back here :thumbsup:
Posted Image

#24 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 29 February 2008 - 08:22 PM

Hello


Heres the combofix file




ComboFix 08-03-01 - Here 2008-03-01 1:14:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.252 [GMT 0:00]
Running from: C:\Documents and Settings\Here\Desktop\ECU Mapping\vid\New Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Here\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-27 18:55 . 2008-02-27 18:55 <DIR> d-------- C:\Program Files\Quit Counter
2008-02-27 06:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-27 06:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-27 06:57 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-27 06:57 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-27 06:57 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-27 06:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-27 06:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 11:58 . 2008-02-26 11:59 <DIR> d-------- C:\Program Files\BitLord
2008-02-24 17:43 . 2008-02-24 17:43 <DIR> d----c--- C:\SLSK
2008-02-24 17:28 . 2008-02-26 12:00 <DIR> d-------- C:\Program Files\Soulseek
2008-02-23 21:19 . 2008-02-23 21:19 268 --ah-c--- C:\sqmdata18.sqm
2008-02-23 21:19 . 2008-02-23 21:19 244 --ah-c--- C:\sqmnoopt18.sqm
2008-02-23 10:45 . 2008-03-01 00:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 10:45 . 2008-02-23 10:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 22:29 . 2008-02-22 22:29 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 22:29 . 2008-02-22 22:29 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-17 15:09 . 2008-02-17 15:09 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Grisoft
2008-02-17 15:09 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 11:35 . 2008-02-17 12:00 212 --a--c--- C:\delete.bat
2008-02-17 09:41 . 2008-02-17 09:41 <DIR> d----c--- C:\Documents and Settings\Here\Trillian
2008-02-12 15:47 . 2008-02-12 15:49 <DIR> d-------- C:\Program Files\TunerPro
2008-02-11 15:35 . 2008-02-11 15:35 <DIR> d-------- C:\Program Files\Sharp World Clock
2008-02-11 15:35 . 2008-02-11 15:38 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Sharp World Clock
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-09 10:45 . 2008-02-09 10:45 <DIR> d-------- C:\Program Files\MSECache
2008-02-08 11:03 . 2008-02-08 11:03 268 --ah-c--- C:\sqmdata17.sqm
2008-02-08 11:03 . 2008-02-08 11:03 244 --ah-c--- C:\sqmnoopt17.sqm
2008-02-06 09:30 . 2008-02-06 09:30 268 --ah-c--- C:\sqmdata16.sqm
2008-02-06 09:30 . 2008-02-06 09:30 244 --ah-c--- C:\sqmnoopt16.sqm
2008-02-04 10:02 . 2008-02-04 10:02 <DIR> d----c--- C:\_OTMoveIt
2008-02-03 14:08 . 2008-02-03 15:49 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\QuitCounter
2008-02-02 16:17 . 2008-02-02 16:17 <DIR> d----c--- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 16:52 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 18:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-28 18:58 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-28 07:37 --------- dc----w C:\Documents and Settings\Here\Application Data\AVG7
2008-02-28 06:00 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-26 11:51 --------- d-----w C:\Program Files\LimeWire
2008-02-24 13:30 --------- d-----w C:\Program Files\iTunes
2008-02-24 13:29 --------- d-----w C:\Program Files\iPod
2008-02-24 13:27 --------- d-----w C:\Program Files\QuickTime
2008-02-22 19:44 --------- dc----w C:\Documents and Settings\Here\Application Data\Xfire
2008-02-22 19:44 --------- d-----w C:\Program Files\Trillian
2008-02-17 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-15 19:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 18:21 --------- d-s---w C:\Program Files\Xfire
2008-01-31 02:02 54,608 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-01-28 16:17 --------- d-----w C:\Program Files\RegScrubXP
2008-01-21 18:02 --------- d-----w C:\Program Files\Google
2008-01-20 21:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-20 21:19 --------- dc----w C:\Documents and Settings\Here\Application Data\Babylon
2008-01-20 21:19 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Babylon
2008-01-20 20:32 --------- dc--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-20 16:43 --------- d-----w C:\Program Files\Yahoo!
2008-01-20 15:21 --------- d-----w C:\Program Files\Easy GIF Animator
2008-01-20 10:44 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-01-20 10:42 --------- d-----w C:\Program Files\Samsung
2008-01-20 09:03 --------- dc----w C:\Documents and Settings\Here\Application Data\Yahoo!
2008-01-20 09:03 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-01-16 10:07 --------- d-----w C:\Program Files\Skype
2008-01-10 14:28 --------- dc----w C:\Documents and Settings\Here\Application Data\skypePM
2008-01-10 07:24 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-05 14:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-05 13:49 22,328 -c--a-w C:\Documents and Settings\Here\Application Data\PnkBstrK.sys
2008-01-05 13:38 --------- d-----w C:\Program Files\Activision
2008-01-05 13:31 --------- d-----w C:\Program Files\CCleaner
2008-01-05 10:40 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-01-04 22:29 --------- d-----w C:\Program Files\RegistryFix
2008-01-04 20:56 --------- d-----w C:\Program Files\Registry Cleaner
2008-01-04 20:20 --------- dc----w C:\Documents and Settings\Here\Application Data\Abexo
2008-01-04 20:20 --------- d-----w C:\Program Files\Abexo
2008-01-04 16:45 32 -c--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-01-04 16:42 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-01-04 16:42 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-04 10:41 --------- dc----w C:\Documents and Settings\Here\Application Data\iolo
2008-01-04 10:41 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-01-03 12:31 --------- d-----w C:\Program Files\Alcatel
2008-01-01 16:42 --------- dc----w C:\Documents and Settings\Here\Application Data\Ideazon
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-09-27 12:23 337 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
2006-09-27 12:22 13,046 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
2006-09-27 12:22 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
2006-09-27 12:01 177,152 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
2006-09-21 13:05 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb153.dat
2006-09-18 12:18 49 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb41.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb8253.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
2006-09-18 10:32 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
2006-09-18 10:31 9,216 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb8467.dat
2006-09-18 10:31 0 -c--a-w C:\Documents and Settings\Nick\Application Data\internaldb6334.dat
1997-05-13 17:26 3,206,344 -c--a-w C:\Documents and Settings\Nick\HOSPPAT.EXE
1994-05-31 21:00 265,396 -c--a-w C:\Documents and Settings\Nick\DOS4GW.EXE
2006-11-21 14:12 80 --sh--r C:\WINDOWS\system32\A8D6A4E201.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 12:27 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 23:53 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 10:09 4247552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 04:43 7630848]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-08 16:34 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 23:51 219136]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSI ToolBar.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSI ToolBar.lnk
backup=C:\WINDOWS\pss\EPSI ToolBar.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-12 04:43 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-08 16:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-01-30 21:39]
R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 21:30]
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2004-07-05 22:24]
S3 SaiHFF12;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiHFF12.sys [2004-07-26 19:54]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 17:06:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 01:19:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 1:20:43
ComboFix-quarantined-files.txt 2008-03-01 01:20:26
ComboFix2.txt 2008-02-27 07:12:49
.
2008-02-14 18:00:04 --- E O F ---






and the HJT file



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:21:49, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Here\Desktop\Unused Desktop Shortcuts\Here.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862862656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862853390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer = 212.139.132.44 212.139.132.43
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6950 bytes




Thanks .....................noted re the firewall !!!! Ive now got one.

#25 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:49 AM

Posted 01 March 2008 - 04:14 PM

Hi!

I can't see any firewall. What firewall do you have?
Looks "Step #1" didn't work . Can you please do it again? :thumbsup:

After that please post Combofix log and a fresh HijackThis log back here.
Posted Image

#26 kremlingazette

kremlingazette
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 03 March 2008 - 02:59 AM

Hi


I have zonealarm installed and active. Here is the combofix scan


ComboFix 08-03-03.6 - Here 2008-03-03 7:41:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT 0:00]
Running from: C:\Documents and Settings\Here\Desktop\ECU Mapping\ComboFix.exe
Command switches used :: C:\Documents and Settings\Here\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Nick\Application Data\internaldb153.dat
C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
C:\Documents and Settings\Nick\Application Data\internaldb41.dat
C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
C:\Documents and Settings\Nick\Application Data\internaldb6334.dat
C:\Documents and Settings\Nick\Application Data\internaldb8253.dat
C:\Documents and Settings\Nick\Application Data\internaldb8467.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nick\Application Data\internaldb153.dat
C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
C:\Documents and Settings\Nick\Application Data\internaldb41.dat
C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
C:\Documents and Settings\Nick\Application Data\internaldb6334.dat
C:\Documents and Settings\Nick\Application Data\internaldb8253.dat
C:\Documents and Settings\Nick\Application Data\internaldb8467.dat

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 12:31 . 2008-03-02 12:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-02 12:31 . 2008-03-02 12:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2008-03-01 07:28 . 2008-03-01 07:28 268 --ah-c--- C:\sqmdata19.sqm
2008-03-01 07:28 . 2008-03-01 07:28 244 --ah-c--- C:\sqmnoopt19.sqm
2008-03-01 01:37 . 2008-03-02 19:54 6,694,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-01 01:37 . 2008-03-02 19:54 10,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-01 01:34 . 2008-03-01 01:34 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\MailFrontier
2008-03-01 01:33 . 2008-03-01 01:33 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-01 01:32 . 2008-03-03 07:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-27 18:55 . 2008-02-27 18:55 <DIR> d-------- C:\Program Files\Quit Counter
2008-02-27 06:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-27 06:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-27 06:57 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-27 06:57 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-27 06:57 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-27 06:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-27 06:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 11:58 . 2008-02-26 11:59 <DIR> d-------- C:\Program Files\BitLord
2008-02-24 17:43 . 2008-02-24 17:43 <DIR> d----c--- C:\SLSK
2008-02-24 17:28 . 2008-02-26 12:00 <DIR> d-------- C:\Program Files\Soulseek
2008-02-23 21:19 . 2008-02-23 21:19 268 --ah-c--- C:\sqmdata18.sqm
2008-02-23 21:19 . 2008-02-23 21:19 244 --ah-c--- C:\sqmnoopt18.sqm
2008-02-23 10:45 . 2008-03-03 07:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 10:45 . 2008-02-23 10:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 22:29 . 2008-02-22 22:29 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 22:29 . 2008-02-22 22:29 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-17 15:09 . 2008-02-17 15:09 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Grisoft
2008-02-17 15:09 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 11:35 . 2008-02-17 12:00 212 --a--c--- C:\delete.bat
2008-02-17 09:41 . 2008-02-17 09:41 <DIR> d----c--- C:\Documents and Settings\Here\Trillian
2008-02-12 15:47 . 2008-02-12 15:49 <DIR> d-------- C:\Program Files\TunerPro
2008-02-11 15:35 . 2008-02-11 15:35 <DIR> d-------- C:\Program Files\Sharp World Clock
2008-02-11 15:35 . 2008-02-11 15:38 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\Sharp World Clock
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-11 12:57 . 2008-02-11 12:57 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2008-02-09 10:45 . 2008-02-09 10:45 <DIR> d-------- C:\Program Files\MSECache
2008-02-08 11:03 . 2008-02-08 11:03 268 --ah-c--- C:\sqmdata17.sqm
2008-02-08 11:03 . 2008-02-08 11:03 244 --ah-c--- C:\sqmnoopt17.sqm
2008-02-06 09:30 . 2008-02-06 09:30 268 --ah-c--- C:\sqmdata16.sqm
2008-02-06 09:30 . 2008-02-06 09:30 244 --ah-c--- C:\sqmnoopt16.sqm
2008-02-04 10:02 . 2008-02-04 10:02 <DIR> d----c--- C:\_OTMoveIt
2008-02-03 14:08 . 2008-02-03 15:49 <DIR> d----c--- C:\Documents and Settings\Here\Application Data\QuitCounter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 13:21 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-02 13:20 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-02 12:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 12:29 --------- dc----w C:\Documents and Settings\Here\Application Data\Lavasoft
2008-03-02 11:08 --------- d-----w C:\Program Files\Trillian
2008-03-01 21:18 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\avg7
2008-03-01 15:36 317,952 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-01 15:36 1,324,544 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-29 16:52 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 07:37 --------- dc----w C:\Documents and Settings\Here\Application Data\AVG7
2008-02-26 11:51 --------- d-----w C:\Program Files\LimeWire
2008-02-24 13:30 --------- d-----w C:\Program Files\iTunes
2008-02-24 13:29 --------- d-----w C:\Program Files\iPod
2008-02-24 13:27 --------- d-----w C:\Program Files\QuickTime
2008-02-22 19:44 --------- dc----w C:\Documents and Settings\Here\Application Data\Xfire
2008-02-17 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-15 19:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 18:21 --------- d-s---w C:\Program Files\Xfire
2008-01-31 02:02 54,608 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-01-28 16:17 --------- d-----w C:\Program Files\RegScrubXP
2008-01-21 18:02 --------- d-----w C:\Program Files\Google
2008-01-20 21:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-20 21:19 --------- dc----w C:\Documents and Settings\Here\Application Data\Babylon
2008-01-20 21:19 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Babylon
2008-01-20 20:32 --------- dc--a-w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2008-01-20 16:43 --------- d-----w C:\Program Files\Yahoo!
2008-01-20 15:21 --------- d-----w C:\Program Files\Easy GIF Animator
2008-01-20 10:44 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kontiki
2008-01-20 10:42 --------- d-----w C:\Program Files\Samsung
2008-01-20 09:03 --------- dc----w C:\Documents and Settings\Here\Application Data\Yahoo!
2008-01-20 09:03 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Yahoo!
2008-01-16 10:07 --------- d-----w C:\Program Files\Skype
2008-01-10 14:28 --------- dc----w C:\Documents and Settings\Here\Application Data\skypePM
2008-01-10 07:24 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2008-01-05 14:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-05 13:49 22,328 -c--a-w C:\Documents and Settings\Here\Application Data\PnkBstrK.sys
2008-01-05 13:38 --------- d-----w C:\Program Files\Activision
2008-01-05 13:31 --------- d-----w C:\Program Files\CCleaner
2008-01-05 10:40 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\nView_Profiles
2008-01-04 22:29 --------- d-----w C:\Program Files\RegistryFix
2008-01-04 20:56 --------- d-----w C:\Program Files\Registry Cleaner
2008-01-04 20:20 --------- dc----w C:\Documents and Settings\Here\Application Data\Abexo
2008-01-04 20:20 --------- d-----w C:\Program Files\Abexo
2008-01-04 16:45 32 -c--a-w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ezsid.dat
2008-01-04 16:42 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Skype
2008-01-04 16:42 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-04 10:41 --------- dc----w C:\Documents and Settings\Here\Application Data\iolo
2008-01-04 10:41 --------- dc----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\iolo
2008-01-03 12:31 --------- d-----w C:\Program Files\Alcatel
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
1997-05-13 17:26 3,206,344 -c--a-w C:\Documents and Settings\Nick\HOSPPAT.EXE
1994-05-31 21:00 265,396 -c--a-w C:\Documents and Settings\Nick\DOS4GW.EXE
2006-11-21 14:12 80 --sh--r C:\WINDOWS\system32\A8D6A4E201.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 12:27 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 23:53 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40 155648]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 10:09 4247552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 04:43 7630848]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-08 16:34 185896]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 23:51 219136]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSI ToolBar.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSI ToolBar.lnk
backup=C:\WINDOWS\pss\EPSI ToolBar.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-12 04:43 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-08 16:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-01-30 21:39]
R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 21:30]
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2004-07-05 22:24]
S3 SaiHFF12;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiHFF12.sys [2004-07-26 19:54]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 07:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-03 7:48:21
ComboFix-quarantined-files.txt 2008-03-03 07:48:17
ComboFix2.txt 2008-03-01 01:20:44
ComboFix3.txt 2008-02-27 07:12:49
.
2008-02-14 18:00:04 --- E O F ---



and hjt log.................



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59:30, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Here\Desktop\Unused Desktop Shortcuts\Here.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862862656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159862853390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD937558-7312-4DBE-BAC6-25D82E8269D0}: NameServer = 212.139.132.44 212.139.132.43
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7416 bytes






Thanks...........

#27 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:49 AM

Posted 04 March 2008 - 10:22 AM

Log looks clean...great job!

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image
  • When shown the disclaimer, Select "2"
___________________________

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
___________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
Posted Image

#28 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:07:49 PM

Posted 10 March 2008 - 08:00 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users