Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer


  • Please log in to reply
9 replies to this topic

#1 tpumma

tpumma

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 01 February 2008 - 05:21 PM

following is hijackthis log after running windows advance care, avg, spyware doctor on xp unit. any assistance is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:19 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Journyx\database\MSSQL$JOURNYXMSDE\Binn\sqlservr.exe
C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\Journyx\jwt\timesheet\TimesheetService.exe
C:\PROGRA~1\Journyx\TIWS\xidos32.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ecommerce2000.net/PBP/Templates...p;DetFlash=true
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: TVM070707 - {79042869-F66E-4B5A-8433-3D793DD3A305} - C:\Program Files\eBay Misspell Search Toolbar\timevsmoney.dll
O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
O3 - Toolbar: eBay Misspell Search Toolbar - {A8AE6616-6274-49C7-A99C-1DC3FBE83328} - C:\Program Files\eBay Misspell Search Toolbar\timevsmoney.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {14A1249F-CA17-4FDF-8F39-7DB8A77F11FC} (VPOSSystem Class) - https://downloadvpos.authorize.net/AnetVPOS.dll
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://70.240.227.67/cab/OCXChecker_6110.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA3} (WDCapture Class) - https://wip.webdialogs.com/components/WDATL64.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126582899375
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c5/v18.174/qboax10.cab
O16 - DPF: {A97608DD-6999-11D5-9C8C-0010A4F2D6BF} (QCOMCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://shobha.dipmap.com/cab/RPB.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
O23 - Service: Esker License Control (EskerLicenseControl) - Esker - C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Journyx Timesheet (journyxtimesheet) - Unknown owner - C:\PROGRA~1\Journyx\jwt\timesheet\TimesheetService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Esker LPD (lpds) - Esker - C:\PROGRA~1\TUN\TCPW\WLPDSNT.EXE
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
O23 - Service: NetworkStreaming Server (ntwkstrm) - Unknown owner - C:\Program Files\NetworkStreaming\Customer\winvnc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11478 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 10 February 2008 - 07:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 tpumma

tpumma
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 19 February 2008 - 10:13 PM

OK. Please check the updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:30 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
E:\download\ProcessExplorer\procexp.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ecommerce2000.net/PBP/Templates...p;DetFlash=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {14A1249F-CA17-4FDF-8F39-7DB8A77F11FC} (VPOSSystem Class) - https://downloadvpos.authorize.net/AnetVPOS.dll
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://70.240.227.67/cab/OCXChecker_6110.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA3} (WDCapture Class) - https://wip.webdialogs.com/components/WDATL64.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126582899375
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c5/v18.174/qboax10.cab
O16 - DPF: {A97608DD-6999-11D5-9C8C-0010A4F2D6BF} (QCOMCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://shobha.dipmap.com/cab/RPB.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
O23 - Service: Esker License Control (EskerLicenseControl) - Esker - C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Esker LPD (lpds) - Esker - C:\PROGRA~1\TUN\TCPW\WLPDSNT.EXE
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
O23 - Service: NetworkStreaming Server (ntwkstrm) - Unknown owner - C:\Program Files\NetworkStreaming\Customer\winvnc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9808 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 21 February 2008 - 07:42 PM

Please follow the instructions in the link below for the downloading and running of ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This also includes installing the Windows XP Recovery Console in case you have not got it installed.
Post the log from ComboFix when you've finished,along with a new HijackThis log please.
Posted Image
Posted Image

#5 tpumma

tpumma
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 25 February 2008 - 11:00 PM

Here is the log file - let me know if you need anything else:

ComboFix 08-02-25.3 - Owner 2008-02-25 21:29:57.2 - NTFSx86
Running from: e:\download\ComboFix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 21:25 . 2008-02-25 21:25 0 --a--c--- C:\LOG2.tmp
2008-02-25 19:05 . 2008-02-25 19:05 0 --a--c--- C:\LOG1.tmp
2008-02-19 23:32 . 2008-02-19 23:33 <DIR> d-------- C:\WINDOWS\226279A764EA4F0F897CAC71596FF525.TMP
2008-02-19 19:04 . 2007-12-04 12:57 11,284 --------- C:\WINDOWS\_000000_.tmp.dll
2008-02-17 10:32 . 2007-12-18 20:38 11,284 --------- C:\WINDOWS\_000006_.tmp.dll
2008-02-07 09:01 . 2008-02-07 09:01 <DIR> d-------- C:\WINDOWS\Apps
2008-02-06 17:10 . 2008-02-06 17:10 <DIR> d-------- C:\Program Files\COMODO
2008-02-06 17:10 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Comodo
2008-02-06 17:10 . 2008-02-06 17:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-02-06 17:10 . 2008-02-19 20:05 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll.vir
2008-02-06 17:10 . 2008-02-19 20:05 84,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdGuard.sys
2008-02-06 17:10 . 2008-02-19 20:05 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-02-05 17:03 . 2008-02-05 17:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-02-05 17:03 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-02-05 17:03 . 2008-02-05 17:07 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-02-05 17:01 . 2008-02-06 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2008-02-05 17:00 . 2008-02-06 16:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-05 16:52 . 2008-02-05 16:52 0 --a------ C:\WINDOWS\LogMeIn_uninstall_reboot
2008-01-30 21:02 . 2008-01-30 21:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-30 20:04 . 2008-01-30 20:04 <DIR> d-------- C:\Program Files\Auslogics
2008-01-30 20:04 . 2008-01-30 20:04 <DIR> d-------- C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Auslogics
2008-01-30 19:27 . 2008-01-30 19:27 <DIR> d-------- C:\Program Files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 03:40 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-26 01:23 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-26 00:59 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\U3
2008-02-26 00:54 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\AVG7
2008-02-20 05:35 --------- d-----w C:\Program Files\Neat Business Cards
2008-02-20 05:31 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-20 05:26 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-20 05:03 --------- d-----w C:\Program Files\Picasa2
2008-02-20 05:01 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Uniblue
2008-02-13 21:47 437,096 ----a-w C:\WINDOWS\SYSTEM32\Incinerator.dll
2008-02-06 23:02 --------- d-----w C:\Program Files\ActiveHome Pro
2008-02-06 23:01 --------- d-----w C:\Program Files\eBay Misspell Search Toolbar
2008-02-06 23:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{A8AE6616-6274-49C7-A99C-1DC3FBE83328}
2008-02-06 23:00 --------- d-----w C:\Program Files\Yahoo!
2008-02-06 22:46 --------- d-----w C:\Program Files\Journyx
2008-02-05 23:18 32,768 ----a-w C:\WINDOWS\SYSTEM32\iolobtdfg.exe
2008-02-05 23:18 24,064 ----a-w C:\WINDOWS\SYSTEM32\smrgdf.exe
2008-02-05 22:52 --------- d-----w C:\Program Files\LogMeIn
2008-02-03 00:41 --------- d-----w C:\Program Files\CallWave
2008-01-31 03:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-01-31 02:40 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\AVG7
2008-01-31 02:39 --------- d-----w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\AVG7
2008-01-28 18:53 --------- d-----w C:\Program Files\Plaxo
2008-01-27 21:47 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\iolo
2008-01-25 15:42 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\AdobeUM
2008-01-25 02:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-01-25 00:28 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\iolo
2008-01-17 22:44 --------- d-----w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\iolo
2008-01-08 05:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 05:02 --------- d-----w C:\Program Files\ucietb
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-09-09 19:33 27,472 ----a-w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\GDIPFONTCACHEV1.DAT
2006-05-16 06:57 27,472 ----a-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\GDIPFONTCACHEV1.DAT
2005-07-20 01:45 51,641 ---ha-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\ptads.bin
2005-07-19 22:26 51,641 ---ha-w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\ptads.bin
2005-06-09 19:18 28,672 ----a-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\atwbxdet.dll
2004-09-07 22:05 25,559 ----a-w C:\Program Files\QUICKEN2002.QIF
2003-06-07 17:44 209,178 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-02-13 15:46 744808]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-30 21:02 411648]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-12 00:36 1065800]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-19 19:33 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:02 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-03-21 14:00 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-04-12 10:30 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2003-12-02 16:11 58392 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTV4Me]
--a------ 2006-08-23 07:59 1044480 C:\Program Files\PCTV4Me\PCTV4Me.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Common Files\\X10\\Common\\rundll32.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-19 20:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-19 20:05]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;"C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe" [2007-05-08 17:22]
S1 spusbaudio;USB Microphone;C:\WINDOWS\system32\drivers\CA506AA.sys [2000-07-20 08:06]
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
S3 PAC207;Basic Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 13:57]
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2003-09-02 11:10]
S3 SPCA506AV;X10 VA11A Video Capture;C:\WINDOWS\system32\DRIVERS\CA506AV.SYS [2001-03-30 06:58]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06a0fc87-9ece-11dc-a729-000874b82d25}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3bf11-efba-11d8-a704-00062548c5e1}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f55415c-f408-11db-a67f-000874b82d25}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 05:03:01 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2007-08-09 00:15:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:44:03
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-25 21:49:03
ComboFix-quarantined-files.txt 2008-02-26 03:48:53
ComboFix2.txt 2008-02-26 03:00:45
.
2008-02-20 04:27:15 --- E O F ---

#6 tpumma

tpumma
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 25 February 2008 - 11:12 PM

Here's a second try:

ComboFix 08-02-25.3 - Owner 2008-02-25 22:05:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.603 [GMT -6:00]
Running from: e:\download\ComboFix\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 21:25 . 2008-02-25 21:25 0 --a--c--- C:\LOG2.tmp
2008-02-25 19:05 . 2008-02-25 19:05 0 --a--c--- C:\LOG1.tmp
2008-02-19 23:32 . 2008-02-19 23:33 <DIR> d-------- C:\WINDOWS\226279A764EA4F0F897CAC71596FF525.TMP
2008-02-19 19:04 . 2007-12-04 12:57 11,284 --------- C:\WINDOWS\_000000_.tmp.dll
2008-02-17 10:32 . 2007-12-18 20:38 11,284 --------- C:\WINDOWS\_000006_.tmp.dll
2008-02-07 09:01 . 2008-02-07 09:01 <DIR> d-------- C:\WINDOWS\Apps
2008-02-06 17:10 . 2008-02-06 17:10 <DIR> d-------- C:\Program Files\COMODO
2008-02-06 17:10 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Comodo
2008-02-06 17:10 . 2008-02-06 17:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-02-06 17:10 . 2008-02-19 20:05 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll.vir
2008-02-06 17:10 . 2008-02-19 20:05 84,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdGuard.sys
2008-02-06 17:10 . 2008-02-19 20:05 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-02-05 17:03 . 2008-02-05 17:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-02-05 17:03 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-02-05 17:03 . 2008-02-05 17:07 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-02-05 17:01 . 2008-02-06 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2008-02-05 17:00 . 2008-02-06 16:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-05 16:52 . 2008-02-05 16:52 0 --a------ C:\WINDOWS\LogMeIn_uninstall_reboot
2008-01-30 21:02 . 2008-01-30 21:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-30 20:04 . 2008-01-30 20:04 <DIR> d-------- C:\Program Files\Auslogics
2008-01-30 20:04 . 2008-01-30 20:04 <DIR> d-------- C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Auslogics
2008-01-30 19:27 . 2008-01-30 19:27 <DIR> d-------- C:\Program Files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 03:40 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-26 01:23 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-26 00:59 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\U3
2008-02-26 00:54 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\AVG7
2008-02-20 05:35 --------- d-----w C:\Program Files\Neat Business Cards
2008-02-20 05:31 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-20 05:26 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-20 05:03 --------- d-----w C:\Program Files\Picasa2
2008-02-20 05:01 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\Uniblue
2008-02-13 21:47 437,096 ----a-w C:\WINDOWS\SYSTEM32\Incinerator.dll
2008-02-06 23:02 --------- d-----w C:\Program Files\ActiveHome Pro
2008-02-06 23:01 --------- d-----w C:\Program Files\eBay Misspell Search Toolbar
2008-02-06 23:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{A8AE6616-6274-49C7-A99C-1DC3FBE83328}
2008-02-06 23:00 --------- d-----w C:\Program Files\Yahoo!
2008-02-06 22:46 --------- d-----w C:\Program Files\Journyx
2008-02-05 23:18 32,768 ----a-w C:\WINDOWS\SYSTEM32\iolobtdfg.exe
2008-02-05 23:18 24,064 ----a-w C:\WINDOWS\SYSTEM32\smrgdf.exe
2008-02-05 22:52 --------- d-----w C:\Program Files\LogMeIn
2008-02-03 00:41 --------- d-----w C:\Program Files\CallWave
2008-01-31 03:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-01-31 02:40 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\AVG7
2008-01-31 02:39 --------- d-----w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\AVG7
2008-01-28 18:53 --------- d-----w C:\Program Files\Plaxo
2008-01-27 21:47 --------- d-----w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\iolo
2008-01-25 15:42 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\AdobeUM
2008-01-25 02:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-01-25 00:28 --------- d-----w C:\Documents and Settings\tempadmin\Application Data\iolo
2008-01-17 22:44 --------- d-----w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\iolo
2008-01-08 05:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 05:02 --------- d-----w C:\Program Files\ucietb
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-09-09 19:33 27,472 ----a-w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\GDIPFONTCACHEV1.DAT
2006-05-16 06:57 27,472 ----a-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\GDIPFONTCACHEV1.DAT
2005-07-20 01:45 51,641 ---ha-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\Application Data\ptads.bin
2005-07-19 22:26 51,641 ---ha-w C:\Documents and Settings\SHALINI AGGARWAL\Application Data\ptads.bin
2005-06-09 19:18 28,672 ----a-w C:\Documents and Settings\Owner.AJAYBEDROOMCMPT\atwbxdet.dll
2004-09-07 22:05 25,559 ----a-w C:\Program Files\QUICKEN2002.QIF
2003-06-07 17:44 209,178 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-02-13 15:46 744808]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-30 21:02 411648]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-19 19:33 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:02 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-03-21 14:00 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-04-12 10:30 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2003-12-02 16:11 58392 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTV4Me]
--a------ 2006-08-23 07:59 1044480 C:\Program Files\PCTV4Me\PCTV4Me.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Common Files\\X10\\Common\\rundll32.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-19 20:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-19 20:05]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;"C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe" [2007-05-08 17:22]
S1 spusbaudio;USB Microphone;C:\WINDOWS\system32\drivers\CA506AA.sys [2000-07-20 08:06]
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
S3 PAC207;Basic Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 13:57]
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2003-09-02 11:10]
S3 SPCA506AV;X10 VA11A Video Capture;C:\WINDOWS\system32\DRIVERS\CA506AV.SYS [2001-03-30 06:58]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06a0fc87-9ece-11dc-a729-000874b82d25}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3bf11-efba-11d8-a704-00062548c5e1}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f55415c-f408-11db-a67f-000874b82d25}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 05:03:01 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2007-08-09 00:15:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 22:09:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-25 22:10:38
ComboFix-quarantined-files.txt 2008-02-26 04:10:32
ComboFix2.txt 2008-02-26 03:49:04
ComboFix3.txt 2008-02-26 03:00:45
.
2008-02-20 04:27:15 --- E O F ---

#7 tpumma

tpumma
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 25 February 2008 - 11:16 PM

following is updated HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:03 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ecommerce2000.net/PBP/Templates...p;DetFlash=true
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {14A1249F-CA17-4FDF-8F39-7DB8A77F11FC} (VPOSSystem Class) - https://downloadvpos.authorize.net/AnetVPOS.dll
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://70.240.227.67/cab/OCXChecker_6110.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA3} (WDCapture Class) - https://wip.webdialogs.com/components/WDATL64.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126582899375
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c5/v18.174/qboax10.cab
O16 - DPF: {A97608DD-6999-11D5-9C8C-0010A4F2D6BF} (QCOMCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://shobha.dipmap.com/cab/RPB.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
O23 - Service: Esker License Control (EskerLicenseControl) - Esker - C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Esker LPD (lpds) - Esker - C:\PROGRA~1\TUN\TCPW\WLPDSNT.EXE
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Neat Business Cards\exec\NeatReceiptsDBController.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9230 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 26 February 2008 - 09:32 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\LOG2.tmp
C:\LOG1.tmp
C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000006_.tmp.dll
C:\WINDOWS\226279A764EA4F0F897CAC71596FF525.TMP


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O16 - DPF: {14A1249F-CA17-4FDF-8F39-7DB8A77F11FC} (VPOSSystem Class) - https://downloadvpos.authorize.net/AnetVPOS.dll
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://70.240.227.67/cab/OCXChecker_6110.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA3} (WDCapture Class) - https://wip.webdialogs.com/components/WDATL64.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 tpumma

tpumma
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 PM

Posted 07 March 2008 - 07:52 PM

Here's the OTMoveIt2 result:

[Custom Input]
< C:\LOG2.tmp >
File/Folder C:\LOG2.tmp not found.
< C:\LOG1.tmp >
File/Folder C:\LOG1.tmp not found.
< C:\WINDOWS\_000000_.tmp.dll >
LoadLibrary failed for C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000000_.tmp.dll NOT unregistered.
C:\WINDOWS\_000000_.tmp.dll moved successfully.
< C:\WINDOWS\_000006_.tmp.dll >
LoadLibrary failed for C:\WINDOWS\_000006_.tmp.dll
C:\WINDOWS\_000006_.tmp.dll NOT unregistered.
C:\WINDOWS\_000006_.tmp.dll moved successfully.
< C:\WINDOWS\226279A764EA4F0F897CAC71596FF525.TMP >
C:\WINDOWS\226279A764EA4F0F897CAC71596FF525.TMP moved successfully.

OTMoveIt2 v1.0.20 log created on 03072008_184806

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 March 2008 - 03:10 AM

Follow the remaining steps if you would please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users