Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Svchost And Outerinfo


  • Please log in to reply
8 replies to this topic

#1 Tommynumber

Tommynumber

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:01:53 AM

Posted 27 February 2008 - 08:22 AM

Hey all (:

I've been using this same old system for a good few years now without any real major issuses. However recently I've been finding a lot of malware and virii after scans. Most annoying of all has to be the Outerinfo pop-ups I keep getting appearing in IE windows even though I only use the Firefox browser. Ad-aware, Spybot and Spyware Doctor have all failed to completley remove it.

Also I've became suspicious of one of my scvhost.exe processes. At times it eats up a lot of my CPU. It's running from:
C:\Documents and Settings\USERNAME\Application Data\?ppPatch\?vchost.exe

HJT gave me the following log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:46, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\SMBOLS~1\winspool.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\USERNAME\Application Data\?ppPatch\?vchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USERNAME\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {4BB598B5-73CB-4F79-ACE6-5893B52657E3} - C:\Program Files\Movie Maker\sateginy4444.dll (file missing)
O2 - BHO: (no name) - {65339AB3-737F-05AE-0216-2F00CDC781C3} - C:\WINDOWS\system32\lcxtvfb.dll
O2 - BHO: (no name) - {A49EF9E3-3BD5-433A-9D30-8C2AB7B2F2D3} - C:\Program Files\Movie Maker\sateginy83122.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Ixmyqcu] "C:\Documents and Settings\USERNAME\Application Data\?ppPatch\?vchost.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186956689702
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140617505968
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.135/tools/FlipsideWebLauncherControl.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - https://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: seuagtos - seuagtos.dll (file missing)
O20 - Winlogon Notify: wvurqpp - wvurqpp.dll (file missing)
O20 - Winlogon Notify: yayxutt - yayxutt.dll (file missing)
O20 - Winlogon Notify: ydrouutb - ydrouutb.dll (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: (no name) - http://us.f1.yahoofs.com/users/19d01277/bc...fxHO.8AbsiyHRXr
O24 - Desktop Component 1: (no name) - http://perso.club-internet.fr/jminazio/ElBuro.gif

--
End of file - 7623 bytes











Any help will be hugely appreciated! Thanks in advanced.

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 07 March 2008 - 01:49 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

#3 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:01:53 AM

Posted 08 March 2008 - 09:50 AM

Okay I have done as you advised and these are the logs:

ComboFix 08-03-07.4 - THOMAS RUSSELL 2008-03-08 14:16:21.1 - NTFSx86
Running from: C:\Documents and Settings\THOMAS RUSSELL\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\THOMAS RUSSELL\Application Data\CROSOF~1.NET
C:\Documents and Settings\THOMAS RUSSELL\Application Data\PPPATC~1
C:\Documents and Settings\THOMAS RUSSELL\Application Data\YSTEM3~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\assys.dll
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\msnimport.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\stem~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fyxihpro.ini
C:\WINDOWS\system32\m5
C:\WINDOWS\system32\m5\dcatdrive6.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\rxigoxky.ini
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\smbols~1\s?mbols\
C:\WINDOWS\system32\smbols~1\winspool.exe
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\u1
C:\WINDOWS\system32\u1\hiba3133.exe
C:\WINDOWS\system32\wfpkyumu.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wqjuworo.dll
C:\WINDOWS\system32\x8
C:\WINDOWS\system32\x8\liopud89104.exe
C:\WINDOWS\system32\z2
C:\WINDOWS\uawin.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-05 16:45 . 2008-03-05 16:53 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\CopyTrans
2008-03-05 16:44 . 2008-03-05 16:44 <DIR> d-------- C:\Program Files\WindSolutions
2008-03-05 16:44 . 2008-03-05 16:44 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\CopyTransControlCenter
2008-03-05 16:44 . 2008-03-05 16:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\CopyTransControlCenter
2008-03-05 16:41 . 2008-03-05 16:41 <DIR> d-------- C:\Program Files\Mediafour
2008-03-05 13:49 . 2008-03-05 13:49 <DIR> d-------- C:\Program Files\StyleCam Blink
2008-03-05 13:49 . 2008-03-05 13:49 <DIR> d-------- C:\Program Files\Common Files\DSC-07
2008-03-05 13:49 . 2002-04-17 18:35 63,104 --a------ C:\WINDOWS\system32\drivers\MXCap3.sys
2008-03-05 13:49 . 2002-01-22 15:01 50,688 --a------ C:\WINDOWS\system32\drivers\MXBulk3.sys
2008-03-05 13:49 . 2002-03-19 16:10 32,768 --a------ C:\WINDOWS\system32\infcpy.dll
2008-03-05 13:49 . 2002-03-08 21:48 23,936 --a------ C:\WINDOWS\system32\drivers\MXCamD.sys
2008-03-05 13:49 . 2002-03-29 15:31 446 --a------ C:\WINDOWS\system32\dsc06.reg
2008-03-05 13:49 . 2001-08-10 14:36 25 --a------ C:\WINDOWS\AVIMaker.INI
2008-03-03 13:57 . 2008-03-03 13:57 <DIR> d-------- C:\Program Files\NuCam
2008-03-03 13:57 . 2002-12-17 11:13 397,440 --a------ C:\WINDOWS\system32\drivers\biomini.sys
2008-03-03 13:57 . 2003-01-27 17:46 18,944 --a------ C:\WINDOWS\system32\B2Filter.ax
2008-03-03 13:57 . 2002-05-15 17:07 14,061 --a------ C:\WINDOWS\BLINK2DS.ini
2008-03-03 13:57 . 2001-10-31 17:51 7,438 --a------ C:\WINDOWS\BLINK2DS.src
2008-02-28 15:31 . 2008-02-28 15:31 13,502 --a------ C:\WINDOWS\system32\CelldoradoIconUK.ico
2008-02-25 14:53 . 2008-02-25 14:53 <DIR> d-------- C:\Program Files\iPod
2008-02-25 14:52 . 2008-02-25 14:53 <DIR> d-------- C:\Program Files\iTunes
2008-02-23 16:43 . 2008-02-23 16:43 <DIR> d-------- C:\Program Files\VirtualDJ
2008-02-19 17:52 . 2008-02-20 13:50 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\AVG7
2008-02-19 17:47 . 2008-02-19 17:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-19 17:46 . 2008-02-19 17:46 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 17:46 . 2008-02-19 17:54 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 15:29 . 2008-03-08 14:07 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 15:28 . 2008-03-06 18:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-14 15:28 . 2008-02-14 15:28 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\PC Tools
2008-02-14 15:28 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-14 15:28 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-14 15:28 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-14 15:28 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-14 14:38 . 2008-02-14 16:55 21,542 ---hs---- C:\WINDOWS\system32\ydrouutb.dllbox
2008-02-12 19:20 . 2008-02-16 14:54 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-02-09 23:57 . 2008-02-09 23:57 <DIR> d-------- C:\WINDOWS\system32\NetMon
2008-02-08 19:00 . 2008-02-12 17:00 <DIR> d-------- C:\Program Files\MSN Webcam Recorder
2008-02-08 17:53 . 2008-02-08 17:53 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\.jpi_cache
2008-02-08 17:53 . 2008-02-08 17:53 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\.java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 21:09 --------- d-----w C:\Program Files\WinAVIVideoConverter
2008-03-06 21:09 --------- d-----w C:\Program Files\Winamp
2008-03-06 21:08 --------- d-----w C:\Program Files\Timed Shutdown
2008-03-06 21:04 --------- d-----w C:\Program Files\Microsoft Works
2008-03-06 21:02 --------- d-----w C:\Program Files\ffdshow
2008-03-06 21:02 --------- d-----w C:\Program Files\DVD Shrink
2008-03-06 21:02 --------- d-----w C:\Program Files\DivX
2008-03-06 19:07 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 SDK
2008-03-06 19:00 --------- d-----w C:\Program Files\vso
2008-03-06 19:00 --------- d-----w C:\Program Files\Uplink
2008-03-06 19:00 --------- d-----w C:\Program Files\SopCast
2008-03-06 18:59 --------- d-----w C:\Program Files\MP3 Workshop
2008-03-06 18:59 --------- d-----w C:\Program Files\MP3 Audio Sound Recoder
2008-03-06 18:31 --------- d-----w C:\Program Files\Driving Test Success Practical
2008-03-06 18:31 --------- d-----w C:\Program Files\CompuServe 2000 Version 6
2008-03-06 18:31 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-03-06 18:31 --------- d-----w C:\Program Files\AVIcodec
2008-03-06 18:31 --------- d-----w C:\Program Files\Avi2Dvd
2008-03-06 18:19 --------- d-----w C:\Program Files\MSN Messenger
2008-03-06 18:16 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\uTorrent
2008-03-06 17:30 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\dvdcss
2008-03-05 13:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 14:54 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\Apple Computer
2008-02-25 14:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-19 15:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 01:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-04 01:12 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-04 01:12 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\InstallShield
2008-02-04 00:55 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-04 00:55 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-02-04 00:46 20,520 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2008-02-04 00:46 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys
2008-02-03 19:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-03 19:12 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\Sony
2008-02-03 19:00 --------- d-----w C:\Program Files\QuickTime
2008-02-03 18:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-03 18:55 --------- d-----w C:\Program Files\Apple Software Update
2008-01-23 02:28 360,580 -c--a-w C:\WINDOWS\eSellerateEngine.dll
2008-01-23 02:26 --------- d-----w C:\Program Files\MSN Content Plus Inc
2008-01-18 18:27 --------- d-----w C:\Program Files\WinPcap
2008-01-09 23:08 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-01-18 19:28 87,608 ----a-w C:\Documents and Settings\THOMAS RUSSELL\Application Data\ezpinst.exe
2007-01-18 19:28 47,360 ----a-w C:\Documents and Settings\THOMAS RUSSELL\Application Data\pcouffin.sys
2003-06-24 19:43 461 -c--a-w C:\Program Files\INSTALL.LOG
2003-05-15 20:52 4 ----a-w C:\Program Files\system.log
2005-05-13 17:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 11:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 21:27 422,400 -csha-r C:\WINDOWS\x2.64.exe
2003-10-04 21:38 881,261 --sha-w C:\WINDOWS\system32\2loops_niw.dat
2005-10-07 19:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 12:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 10:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 13:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB598B5-73CB-4F79-ACE6-5893B52657E3}]
C:\Program Files\Movie Maker\sateginy4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A49EF9E3-3BD5-433A-9D30-8C2AB7B2F2D3}]
C:\Program Files\Movie Maker\sateginy83122.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SDLC]
@={7C24EABB-6704-4BD0-A9F5-537A3D2378A0}

[HKEY_CLASSES_ROOT\CLSID\{7C24EABB-6704-4BD0-A9F5-537A3D2378A0}]
C:\WINDOWS\System32\msabdx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-19 17:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 17:46 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\seuagtos]
seuagtos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurqpp]
wvurqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxutt]
yayxutt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydrouutb]
ydrouutb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs]
backup=C:\WINDOWS\pss\Search.vbsCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\THOMAS RUSSELL\Start Menu\Programs\Startup\Adobe Gamma Loader.exe

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\THOMAS RUSSELL\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^WinMySQLadmin.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^ZMatrix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24459ee0]
C:\WINDOWS\system32\kpmwedrj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_RegCleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blue Frog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamCheck]
--a------ 2003-02-06 16:18 90112 C:\Program Files\NuCam\CamCheck\CamCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-11-17 11:53 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecrebv]
C:\Documents and Settings\THOMAS RUSSELL\Application Data\??crosoft.NET\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gearbox]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Halo2Cluster]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iVISTA]
--a------ 2001-11-13 17:19 851968 C:\Program Files\Inetcam\iVISTA40\programs\ivista.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Izhzji]
C:\WINDOWS\system32\F?nts\n?lookup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-30 09:40 380928 C:\PROGRA~1\ntl\broadband medic\SmartBridge\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Webcam Recorder]
--a------ 2006-01-31 01:14 131072 C:\Program Files\MSN Webcam Recorder\ml20gui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-01-23 02:28 7094272 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\winvsnet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NITE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-11-14 17:47 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\server]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--------- 2007-10-18 15:42 356352 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedItUpEX]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Services]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Toolkit]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbo Memory Charger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usrr]
C:\WINDOWS\system32\SMBOLS~1\winspool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoGirls_gb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-29 01:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 17:38 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Accelerators ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS SYSTEM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win_spool2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMap"=2 (0x2)
"ssoftservice"=2 (0x2)
"rpcapd"=3 (0x3)
"MySql"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"vsmon"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"fsbwsys"=2 (0x2)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Diskeeper"=2 (0x2)
"BackWeb Plug-in - 4476822"=2 (0x2)
"AvgServ"=2 (0x2)
"O&O Defrag"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"PavPrSrv"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"kavsvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)
"AVGEMS"=2 (0x2)
"AVP"=2 (0x2)
"MSControlService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\THOMAS RUSSELL\\Desktop\\utorrent.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Blink2PnP;Blink2PnP;C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe [1997-05-14 23:49]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 05:31]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-04 00:46]
S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sys [2002-01-22 15:01]
S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys [2002-04-17 18:35]
S3 RapFile;RapFile;C:\WINDOWS\System32\drivers\RapFile.sys [2003-02-10 16:28]
S3 RapNet;RapNet;C:\WINDOWS\System32\drivers\RapNet.sys [2003-02-10 16:28]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{028E2D30-93C4-EAEB-0801-040005020704}]
C:\WINDOWS\System32\drwatson.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-05-04 13:33:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 14:26:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-08 14:35:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 14:35:28
.
2008-02-27 16:01:28 --- E O F ---



And here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:35, on 08/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\THOMAS RUSSELL\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {4BB598B5-73CB-4F79-ACE6-5893B52657E3} - C:\Program Files\Movie Maker\sateginy4444.dll (file missing)
O2 - BHO: (no name) - {A49EF9E3-3BD5-433A-9D30-8C2AB7B2F2D3} - C:\Program Files\Movie Maker\sateginy83122.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186956689702
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140617505968
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.135/tools/FlipsideWebLauncherControl.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - https://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: seuagtos - seuagtos.dll (file missing)
O20 - Winlogon Notify: wvurqpp - wvurqpp.dll (file missing)
O20 - Winlogon Notify: yayxutt - yayxutt.dll (file missing)
O20 - Winlogon Notify: ydrouutb - ydrouutb.dll (file missing)
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: (no name) - http://us.f1.yahoofs.com/users/19d01277/bc...fxHO.8AbsiyHRXr
O24 - Desktop Component 1: (no name) - http://perso.club-internet.fr/jminazio/ElBuro.gif

--
End of file - 7239 bytes



Thank again for all your help here. Much appreciated!

Edited by random/random, 08 March 2008 - 02:45 PM.
removed [codebox] tags


#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 08 March 2008 - 02:46 PM

I edited your post to remove the codebox tags. Please don't use them, it makes logs harder to read.

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 08 March 2008 - 06:03 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\WINDOWS\system32\windows
    C:\WINDOWS\system32\CelldoradoIconUK.ico
    C:\WINDOWS\system32\ydrouutb.dllbox
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB598B5-73CB-4F79-ACE6-5893B52657E3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A49EF9E3-3BD5-433A-9D30-8C2AB7B2F2D3}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SDLC]
    [-HKEY_CLASSES_ROOT\CLSID\{7C24EABB-6704-4BD0-A9F5-537A3D2378A0}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\seuagtos]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurqpp]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxutt]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydrouutb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24459ee0]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blue Frog]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecrebv]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Izhzji]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NITE]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\server]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Services]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Toolkit]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usrr]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoGirls_gb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Accelerators ]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS SYSTEM]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win_spool2]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MSControlService"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{028E2D30-93C4-EAEB-0801-040005020704}]
    Driver::
    MSControlService
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#6 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:01:53 AM

Posted 09 March 2008 - 03:00 PM

Thank for all your help so far.

These are the latest logs:

ComboFix 08-03-07.4 - THOMAS RUSSELL 2008-03-09 18:59:13.2 - NTFSx86
Running from: C:\Documents and Settings\THOMAS RUSSELL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\THOMAS RUSSELL\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\CelldoradoIconUK.ico
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\ydrouutb.dllbox
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CelldoradoIconUK.ico
C:\WINDOWS\system32\ydrouutb.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService


((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 18:43 . 2008-03-09 18:44 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\CopyTransManager
2008-03-09 18:22 . 2008-03-09 18:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 18:22 . 2008-03-09 18:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 16:45 . 2008-03-05 16:53 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\CopyTrans
2008-03-05 16:44 . 2008-03-05 16:44 <DIR> d-------- C:\Program Files\WindSolutions
2008-03-05 16:44 . 2008-03-05 16:44 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\CopyTransControlCenter
2008-03-05 16:44 . 2008-03-05 16:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\CopyTransControlCenter
2008-03-05 16:41 . 2008-03-05 16:41 <DIR> d-------- C:\Program Files\Mediafour
2008-03-05 13:49 . 2008-03-05 13:49 <DIR> d-------- C:\Program Files\StyleCam Blink
2008-03-05 13:49 . 2008-03-05 13:49 <DIR> d-------- C:\Program Files\Common Files\DSC-07
2008-03-05 13:49 . 2002-04-17 18:35 63,104 --a------ C:\WINDOWS\system32\drivers\MXCap3.sys
2008-03-05 13:49 . 2002-01-22 15:01 50,688 --a------ C:\WINDOWS\system32\drivers\MXBulk3.sys
2008-03-05 13:49 . 2002-03-19 16:10 32,768 --a------ C:\WINDOWS\system32\infcpy.dll
2008-03-05 13:49 . 2002-03-08 21:48 23,936 --a------ C:\WINDOWS\system32\drivers\MXCamD.sys
2008-03-05 13:49 . 2002-03-29 15:31 446 --a------ C:\WINDOWS\system32\dsc06.reg
2008-03-05 13:49 . 2001-08-10 14:36 25 --a------ C:\WINDOWS\AVIMaker.INI
2008-03-03 13:57 . 2008-03-03 13:57 <DIR> d-------- C:\Program Files\NuCam
2008-03-03 13:57 . 2002-12-17 11:13 397,440 --a------ C:\WINDOWS\system32\drivers\biomini.sys
2008-03-03 13:57 . 2003-01-27 17:46 18,944 --a------ C:\WINDOWS\system32\B2Filter.ax
2008-03-03 13:57 . 2002-05-15 17:07 14,061 --a------ C:\WINDOWS\BLINK2DS.ini
2008-03-03 13:57 . 2001-10-31 17:51 7,438 --a------ C:\WINDOWS\BLINK2DS.src
2008-02-25 14:53 . 2008-02-25 14:53 <DIR> d-------- C:\Program Files\iPod
2008-02-25 14:52 . 2008-02-25 14:53 <DIR> d-------- C:\Program Files\iTunes
2008-02-23 16:43 . 2008-02-23 16:43 <DIR> d-------- C:\Program Files\VirtualDJ
2008-02-19 17:52 . 2008-02-20 13:50 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\AVG7
2008-02-19 17:47 . 2008-02-19 17:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-19 17:46 . 2008-02-19 17:46 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 17:46 . 2008-02-19 17:54 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 15:29 . 2008-03-08 14:07 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 15:28 . 2008-03-06 18:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-14 15:28 . 2008-02-14 15:28 <DIR> d-------- C:\Documents and Settings\THOMAS RUSSELL\Application Data\PC Tools
2008-02-14 15:28 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-14 15:28 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-14 15:28 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-14 15:28 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-12 19:20 . 2008-02-16 14:54 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-02-09 23:57 . 2008-02-09 23:57 <DIR> d-------- C:\WINDOWS\system32\NetMon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 21:09 --------- d-----w C:\Program Files\WinAVIVideoConverter
2008-03-06 21:09 --------- d-----w C:\Program Files\Winamp
2008-03-06 21:08 --------- d-----w C:\Program Files\Timed Shutdown
2008-03-06 21:04 --------- d-----w C:\Program Files\Microsoft Works
2008-03-06 21:02 --------- d-----w C:\Program Files\ffdshow
2008-03-06 21:02 --------- d-----w C:\Program Files\DVD Shrink
2008-03-06 21:02 --------- d-----w C:\Program Files\DivX
2008-03-06 19:07 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 SDK
2008-03-06 19:00 --------- d-----w C:\Program Files\vso
2008-03-06 19:00 --------- d-----w C:\Program Files\Uplink
2008-03-06 19:00 --------- d-----w C:\Program Files\SopCast
2008-03-06 18:59 --------- d-----w C:\Program Files\MP3 Workshop
2008-03-06 18:59 --------- d-----w C:\Program Files\MP3 Audio Sound Recoder
2008-03-06 18:31 --------- d-----w C:\Program Files\Driving Test Success Practical
2008-03-06 18:31 --------- d-----w C:\Program Files\CompuServe 2000 Version 6
2008-03-06 18:31 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-03-06 18:31 --------- d-----w C:\Program Files\AVIcodec
2008-03-06 18:31 --------- d-----w C:\Program Files\Avi2Dvd
2008-03-06 18:19 --------- d-----w C:\Program Files\MSN Messenger
2008-03-06 18:16 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\uTorrent
2008-03-06 17:30 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\dvdcss
2008-03-05 13:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 14:54 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\Apple Computer
2008-02-25 14:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-19 15:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-12 17:00 --------- d-----w C:\Program Files\MSN Webcam Recorder
2008-02-04 01:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-04 01:12 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-04 01:12 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\InstallShield
2008-02-04 00:55 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-04 00:55 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-02-04 00:46 20,520 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2008-02-04 00:46 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys
2008-02-03 19:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-03 19:12 --------- d-----w C:\Documents and Settings\THOMAS RUSSELL\Application Data\Sony
2008-02-03 19:00 --------- d-----w C:\Program Files\QuickTime
2008-02-03 18:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-03 18:55 --------- d-----w C:\Program Files\Apple Software Update
2008-01-23 02:28 360,580 -c--a-w C:\WINDOWS\eSellerateEngine.dll
2008-01-23 02:26 --------- d-----w C:\Program Files\MSN Content Plus Inc
2008-01-18 18:27 --------- d-----w C:\Program Files\WinPcap
2008-01-09 23:08 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-01-18 19:28 87,608 ----a-w C:\Documents and Settings\THOMAS RUSSELL\Application Data\ezpinst.exe
2007-01-18 19:28 47,360 ----a-w C:\Documents and Settings\THOMAS RUSSELL\Application Data\pcouffin.sys
2003-06-24 19:43 461 -c--a-w C:\Program Files\INSTALL.LOG
2003-05-15 20:52 4 ----a-w C:\Program Files\system.log
2005-05-13 17:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 11:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 21:27 422,400 -csha-r C:\WINDOWS\x2.64.exe
2003-10-04 21:38 881,261 --sha-w C:\WINDOWS\system32\2loops_niw.dat
2005-10-07 19:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 12:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 10:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 13:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-19 17:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 17:46 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs]
backup=C:\WINDOWS\pss\Search.vbsCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\THOMAS RUSSELL\Start Menu\Programs\Startup\Adobe Gamma Loader.exe

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\THOMAS RUSSELL\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^WinMySQLadmin.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS RUSSELL^Start Menu^Programs^Startup^ZMatrix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_RegCleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamCheck]
--a------ 2003-02-06 16:18 90112 C:\Program Files\NuCam\CamCheck\CamCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-11-17 11:53 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gearbox]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Halo2Cluster]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iVISTA]
--a------ 2001-11-13 17:19 851968 C:\Program Files\Inetcam\iVISTA40\programs\ivista.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-30 09:40 380928 C:\PROGRA~1\ntl\broadband medic\SmartBridge\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Webcam Recorder]
--a------ 2006-01-31 01:14 131072 C:\Program Files\MSN Webcam Recorder\ml20gui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-01-23 02:28 7094272 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-11-14 17:47 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--------- 2007-10-18 15:42 356352 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedItUpEX]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbo Memory Charger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-29 01:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 17:38 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMap"=2 (0x2)
"ssoftservice"=2 (0x2)
"rpcapd"=3 (0x3)
"MySql"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"vsmon"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"fsbwsys"=2 (0x2)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Diskeeper"=2 (0x2)
"BackWeb Plug-in - 4476822"=2 (0x2)
"AvgServ"=2 (0x2)
"O&O Defrag"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"PavPrSrv"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"kavsvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)
"AVGEMS"=2 (0x2)
"AVP"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\THOMAS RUSSELL\\Desktop\\utorrent.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Blink2PnP;Blink2PnP;C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe [1997-05-14 23:49]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 05:31]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-04 00:46]
S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sys [2002-01-22 15:01]
S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys [2002-04-17 18:35]
S3 RapFile;RapFile;C:\WINDOWS\System32\drivers\RapFile.sys [2003-02-10 16:28]
S3 RapNet;RapNet;C:\WINDOWS\System32\drivers\RapNet.sys [2003-02-10 16:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-05-04 13:33:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 19:08:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-09 19:14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 19:14:19
ComboFix2.txt 2008-03-08 14:35:37
.
2008-02-27 16:01:28 --- E O F ---














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:28, on 09/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\THOMAS RUSSELL\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186956689702
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140617505968
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.135/tools/FlipsideWebLauncherControl.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - https://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: (no name) - http://us.f1.yahoofs.com/users/19d01277/bc...fxHO.8AbsiyHRXr
O24 - Desktop Component 1: (no name) - http://perso.club-internet.fr/jminazio/ElBuro.gif

--
End of file - 6535 bytes





:thumbsup:

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 10 March 2008 - 03:07 PM

Do you recognize this?

O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Then close all windows except HijackThis and click Fix Checked


Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.

Edited by random/random, 10 March 2008 - 03:08 PM.


#8 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:01:53 AM

Posted 11 March 2008 - 09:50 AM

C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

That was a driver from an old webcam.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2937 (20080311)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5ebac5ec9e7215459cf3ead7b4d4f68a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-11 12:59:04
# local_time=2008-03-11 12:59:04 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=160596
# found=8
# scan_time=4295
C:\QooBox\Quarantine\C\WINDOWS\system32\jnqoqcpm.dll.vir Win32/Adware.AdMedia application FC00791162303D63C54BC270EE43F42C
C:\QooBox\Quarantine\C\WINDOWS\system32\nrmvhdrv.dll.vir Win32/Adware.AdMedia application FC00791162303D63C54BC270EE43F42C
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir Win32/Adware.SecToolbar application AD249B316368039C91BC2B6B3DDFFF64
C:\QooBox\Quarantine\C\WINDOWS\system32\wqjuworo.dll.vir Win32/Adware.SecToolbar application 41F5D56D2E4F3E8309E3E87BA6F19C8A
C:\QooBox\Quarantine\C\WINDOWS\system32\xgillndw.dll.vir Win32/Adware.AdMedia application FC00791162303D63C54BC270EE43F42C
C:\QooBox\Quarantine\C\WINDOWS\system32\xgonnwhr.dll.vir Win32/Adware.AdMedia application FC00791162303D63C54BC270EE43F42C
C:\QooBox\Quarantine\C\WINDOWS\system32\m5\dcatdrive6.exe.vir Win32/TrojanDownloader.Small.IAW trojan 6E017C51258BDED9BCB39E95FD0B53A6
C:\QooBox\Quarantine\C\WINDOWS\system32\SMBOLS~1\winspool.exe.vir a variant of Win32/TrojanDownloader.PurityScan trojan 44E5B6B539F2C010A2CF178A5EE13D99











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:51, on 11/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\THOMAS RUSSELL\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186956689702
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140617505968
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.135/tools/FlipsideWebLauncherControl.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - https://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: (no name) - http://us.f1.yahoofs.com/users/19d01277/bc...fxHO.8AbsiyHRXr
O24 - Desktop Component 1: (no name) - http://perso.club-internet.fr/jminazio/ElBuro.gif

--
End of file - 6581 bytes






All my Svchost.exe seem to be using a normal amount of my cpu now and I haven't had any Outerinfo popups. :thumbsup:

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 11 March 2008 - 01:32 PM

You can delete combofix.exe & the C:\qoobox folder

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Two good paid for antivirus programs are NOD32 and Bitdefender
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Install and use a firewall with outbound protection
    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
    I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall or Online armor
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users