Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Salair Virus/spyware


  • Please log in to reply
1 reply to this topic

#1 Matt Cottrell

Matt Cottrell

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 04 February 2008 - 10:34 AM

Over the last few days I have had increasing number of popups/error messages.

The error messages are obvioulsy created by some spyware as the english is very bad (some examples can be found here. A search for some of the files mentioned in the messages point to a company called Saliar and apparently their software (which you have to buy) is the only one which will clean the spyware (sounds dodgy to me!)

i think i have tracked down the culprit file to "cmdctl.dll" in the "Sample Playlist" folder for Windows Media Player. A search for this file in google yields no results which suggests it is a randomly generated filename and not legitimate.

So here I am asking for your help with this issue.



Here is my ComboFix log:

ComboFix 08-02.03.1 - Matt 2008-02-04 13:54:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2836 [GMT 0:00]
Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Matt\Application Data\inst.exe

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 13:49 . 2004-08-04 12:00 260,272 -r-hs---- C:\cmldr
2008-02-04 13:49 . 2007-11-12 21:52 211 --ahs---- C:\BOOT.BAK
2008-01-31 10:25 . 2008-01-31 10:27 <DIR> d-------- C:\WINDOWS\system32\carbonated
2008-01-31 10:25 . 2008-01-31 10:25 <DIR> d-------- C:\Program Files\Carbonated Software
2008-01-30 22:43 . 2008-01-30 22:44 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2008-01-29 19:19 . 2008-01-29 19:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 09:30 . 2008-01-29 09:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-24 15:04 . 2008-01-28 18:30 <DIR> d-------- C:\Program Files\gMapMaker
2008-01-20 20:02 . 2008-01-20 20:02 <DIR> d-------- C:\Program Files\Magic Swf2Avi 2008
2008-01-15 08:02 . 2008-01-15 08:10 <DIR> d-------- C:\Series 5
2008-01-15 07:46 . 2008-01-15 08:02 <DIR> d-------- C:\Series 4
2008-01-15 07:41 . 2008-01-15 07:45 <DIR> d-------- C:\Series 6
2008-01-12 09:47 . 2008-01-12 09:47 <DIR> d-------- C:\Program Files\UFS Explorer
2008-01-10 06:34 . 2008-01-10 06:34 8 --ah----- C:\WINDOWS\system\lmxsabb.dat
2008-01-09 22:36 . 2008-01-09 22:36 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\Eltima Software
2008-01-09 22:35 . 2008-01-09 22:35 <DIR> d-------- C:\Program Files\Eltima Software
2008-01-09 22:35 . 2008-01-09 22:35 <DIR> d-------- C:\Program Files\Common Files\Eltima Shared
2008-01-09 22:35 . 2007-12-02 14:14 3,345,408 --a------ C:\WINDOWS\system32\avcodec-51.dll
2008-01-09 22:35 . 2007-12-02 14:14 448,512 --a------ C:\WINDOWS\system32\avformat-50.dll
2008-01-09 22:35 . 2007-12-02 14:13 40,960 --a------ C:\WINDOWS\wavdest.ax
2008-01-09 22:35 . 2007-12-02 14:14 19,968 --a------ C:\WINDOWS\system32\avutil-49.dll
2008-01-09 13:32 . 2008-01-10 06:34 46 --ah----- C:\WINDOWS\system\lmxsal.dat
2008-01-09 13:32 . 2008-01-09 13:32 8 --ah----- C:\WINDOWS\system\lmxsap1b.dat
2008-01-09 13:32 . 2008-01-10 06:34 8 --ah----- C:\WINDOWS\system\lmxsacb.dat
2008-01-09 13:32 . 2008-01-10 06:34 8 --ah----- C:\WINDOWS\system\lmxsaab.dat
2008-01-09 13:27 . 2008-01-09 13:27 <DIR> d-------- C:\fe37d3a3f5fe311b956f89ceb12a63

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 13:55 --------- d-----w C:\Program Files\LogMeIn
2008-02-04 13:51 --------- d-----w C:\Documents and Settings\Matt\Application Data\uTorrent
2008-02-04 13:21 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 2
2008-02-04 07:25 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-02-01 18:43 --------- d-----w C:\Program Files\Steam
2008-01-29 18:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 03:26 --------- d-----w C:\Program Files\UltraFXP
2007-12-19 21:59 --------- d-----w C:\Program Files\DVDInfoPro
2007-12-19 21:45 --------- d-----w C:\Program Files\HotKey CD-Eject
2007-12-19 19:17 --------- d-----w C:\Documents and Settings\Matt\Application Data\Ashampoo
2007-12-19 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2007-12-19 19:16 --------- d-----w C:\Program Files\Ashampoo
2007-12-18 23:46 --------- d-----w C:\Documents and Settings\Matt\Application Data\CopyToDvd
2007-12-06 20:53 --------- d-----w C:\Program Files\TVersity
2007-12-06 20:43 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-05 20:54 --------- d-----w C:\Program Files\Haali
2007-12-05 19:54 --------- d-----w C:\Program Files\DVDlabPro
2007-12-05 13:39 --------- d-----w C:\Documents and Settings\Matt\Application Data\Vso
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-25 19:24 3,306,678 ----a-w C:\pebuilder3110a.exe
2007-11-18 11:57 47,360 ----a-w C:\Documents and Settings\Matt\Application Data\pcouffin.sys
2007-11-17 15:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-15 18:46 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2007-11-15 18:46 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-15 18:46 21,496 ----a-w C:\WINDOWS\system32\LMIport.dll
2007-11-12 22:08 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-11-12 22:06 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
2008-01-10 06:35 598016 --a------ C:\Program Files\Windows Media Player\Sample Playlists\cmdctl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuruIII"="C:\Program Files\U-ABIT\uGuru\uGuru.exe" [2007-04-11 18:58 425984]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-01-30 20:06 219952]
"Steam"="c:\program files\steam\steam.exe" [2007-12-02 14:40 1266936]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-16 12:28 171464]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exeeeeeeeeeee" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-05-13 14:57 5308416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 10:54 16116224 C:\WINDOWS\RTHDCPL.EXE]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 06:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-05-25 04:13 1957888]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 00:36 8527872]
"nwiz"="nwiz.exe" [2007-10-09 00:36 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 00:36 81920]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-09-13 15:54 380928]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"NGTray"="C:\Program Files\Symantec\Ghost\ngtray.exe" [2006-12-04 15:32 222856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NcpBudget"="C:\Program Files\WatchGuard\Mobile VPN\ncpbudgt.exe" [2006-12-01 13:54 228352]
"NcpPopup"="C:\Program Files\WatchGuard\Mobile VPN\ncppopup.exe" [2007-11-07 16:13 535040]
"NcpMonitor"="C:\Program Files\WatchGuard\Mobile VPN\ncpmon.exe" [2007-11-13 11:27 3451904]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-13 18:53:43 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmdctl]
C:\Program Files\Windows Media Player\Sample Playlists\cmdctl.dll 2008-01-10 06:35 598016 C:\Program Files\Windows Media Player\Sample Playlists\cmdctl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sesen]
sesen.dll 2007-01-08 12:34 49152 C:\WINDOWS\system32\sesen.dll

R1 Ext2fs;Ext2fs;C:\WINDOWS\system32\DRIVERS\ext2fs.sys [2006-10-23 18:20]
R1 IfsDrives;IfsDrives;C:\WINDOWS\system32\DRIVERS\IfsDrives.sys [2004-09-25 00:28]
R1 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 05:46]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 ncpclcfg;ncpclcfg;C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe [2007-04-05 14:41]
R2 ncprwsnt;ncprwsnt;C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe [2007-11-08 10:39]
R2 NcpSec;NcpSec;C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe [2004-05-24 11:45]
R2 rwsrsu;RwsRsu;C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe [2007-10-23 12:25]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-09-13 15:54]
R3 ncplentp;WatchGuard Secure Client Adapter Driver;C:\WINDOWS\system32\DRIVERS\ncplentp.sys [2007-10-29 10:10]
R3 SecureEndpoint;Secure Endpoint Miniport;C:\WINDOWS\system32\DRIVERS\cswt.sys [2007-01-08 12:34]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-09-13 15:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 01:46:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 13:59:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Windows Media Player\Sample Playlists\cmdctl.dll
.
Completion time: 2008-02-04 14:00:11
ComboFix-quarantined-files.txt 2008-02-04 14:00:09
.
2008-01-09 13:31:54 --- E O F ---





And here is my HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:06, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NcpBudget] "C:\Program Files\WatchGuard\Mobile VPN\ncpbudgt.exe"
O4 - HKLM\..\Run: [NcpPopup] "C:\Program Files\WatchGuard\Mobile VPN\ncppopup.exe" noerrmsg
O4 - HKLM\..\Run: [NcpMonitor] "C:\Program Files\WatchGuard\Mobile VPN\ncpmon.exe" AUTORUN
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeeeeeeeeeee
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{10ECD171-B36C-4AA7-AC26-73245A446974}: NameServer = 192.168.0.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ncpclcfg - Unknown owner - C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
O23 - Service: ncprwsnt - NCP Engineering GmbH - C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
O23 - Service: NcpSec - Unknown owner - C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RwsRsu (rwsrsu) - Unknown owner - C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7668 bytes


Many thanks in advance
Matt

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 13 February 2008 - 05:41 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users